ChangeReplicas(...) REMOVE replica process fail, because scanner delete it from the queue according shouldQueue

[jonyguo]

[Question 1]:
For example, ChangeReplicas(...)
step 1. range 1 has A,B,C three replica
step 2. add replica D to range 1, then range 1 has A,B,C,D four replica
step 3. delete replica A from range 1, then range 1 has B,C,D three replica, replica A will be added to the replica_gc_queue

But, in step 3, it's a replica gc queue. If there are many elements in queue,
the scanner will scan the replicas in the store, meanwhile there is new leader lease which was took affect with the replica.
The queue.go MaybeAdd -> shouldQueue will return false,0 accroding to the lease expiration 24H and remove the replica from the queue.
Wait a moment, kill the cockroach, the cockroach will never be started again.
Beause the replica' local meta is not deleted yet, start command will load it and panic.

Summary,
ChangeReplicas(...) RemoveReplica operation add replica to the replica_gc_queue directly without shouldQueue.
Scanner will add/remove replica to/from the replica_gc_queue according to the shouldQueue.
The two of them will affect each other.

[Question 2]:
The replica_gc_queue is a asynchronous processing. If the queue has not been fully processed, the cockroach is down.
The local meta is not deleted yet. Restart will be fail.

How do you feel? Or other suggestions.

[bdarnell]

Question 1: Yes, this looks like a bug. Instead of bypassing shouldQueue when adding the removed replica to the queue, we should probably set a flag on the Replica object itself which can be checked in shouldQueue. (Adding a flag like this seems like a good idea anyway to ensure that we don't try to do anything else with a replica that is about to be deleted)

There might be a related problem with the use of a buffered channel in replicaScanner.removeReplica. The replica is asynchronously removed some time later, which could be surprising if the queue is busy and there have been other changes between the time RemoveReplica is called and when the replica is actually removed.

Question 2: What exactly is the failure? Is it a panic in RawNode.Tick as in #3896? I think we need to add a check for nil in the Tick loop and when we find a RangeDescriptor at startup that doesn't include our store ID we can send it to the replicaGCQueue.

[yananzhi]

@bdarnell @jonyguo @cuongdo
I reproduce it by the following test:

// TestStoreRrestart veryfies store restart with a pending delete replica.
func TestStoreRrestart(t *testing.T) {
    defer leaktest.AfterTest(t)
    mtc := startMultiTestContext(t, 2)
    defer mtc.Stop()

    firstRng, err := mtc.stores[0].GetReplica(1)
    if err != nil {
        t.Fatal(err)
    }

    mtc.replicateRange(firstRng.Desc().RangeID, 1)
    mtc.unreplicateRange(firstRng.Desc().RangeID,1)

    mtc.stopStore(1)
    mtc.restartStore(1)

    // Wait store1 tick onece at leat.
    // Is there has better idea to wait store tick?
    time.Sleep(200*time.Millisecond)
}

A store start with a pending delete replica(Replica change txn has succeed, but the replica has not be delete by replicaGCQueue)

[signal 0xb code=0x1 addr=0x0 pc=0xaf3874]

goroutine 115 [running]:
github.com/coreos/etcd/raft.(*RawNode).Tick(0x0)
    /home/zyn/gopath/src/github.com/coreos/etcd/raft/rawnode.go:115 +0x14
github.com/cockroachdb/cockroach/storage.(*Store).processRaft.func1()
    /home/zyn/gopath/src/github.com/cockroachdb/cockroach/storage/store.go:1628 +0x70b
github.com/cockroachdb/cockroach/util/stop.(*Stopper).RunWorker.func1(0xc8202eee70, 0xc820340d30)
    /home/zyn/gopath/src/github.com/cockroachdb/cockroach/util/stop/stopper.go:98 +0x52
created by github.com/cockroachdb/cockroach/util/stop.(*Stopper).RunWorker
    /home/zyn/gopath/src/github.com/cockroachdb/cockroach/util/stop/stopper.go:99 +0x62

The raftGroup of replica was unset in this case.

func (r *Replica) newReplicaInner(desc *roachpb.RangeDescriptor, clock *hlc.Clock) error {
    r.mu.Lock()
    defer r.mu.Unlock()

    r.mu.cmdQ = NewCommandQueue()
    r.mu.tsCache = NewTimestampCache(clock)
    r.mu.pendingCmds = map[cmdIDKey]*pendingCmd{}

    r.setDescWithoutProcessUpdateLocked(desc)

    var err error
    r.mu.lastIndex, err = r.loadLastIndexLocked()
    if err != nil {
        return err
    }

    r.mu.appliedIndex, err = r.loadAppliedIndexLocked(r.store.Engine())
    if err != nil {
        return err
    }

    r.mu.leaderLease, err = loadLeaderLease(r.store.Engine(), desc.RangeID)
    if err != nil {
        return err
    }

    _, repDesc := desc.FindReplica(r.store.StoreID())// Here: If the store itself was't found in desc, 
        // don't call the setReplicaIDLocked to set the raftGoup of replica.
    if repDesc != nil {
        if err := r.setReplicaIDLocked(repDesc.ReplicaID); err != nil {
            return err
        }
    }

    return nil
}