kvserver: avoid or at least efficiently handle intent buildup

[tbg]

Describe the problem

We have received numerous instances in which large numbers of intents (hundreds of thousands and more) were able to build up on a range. While this is always theoretically possible - intent cleanup is async and best-effort, so an ill-timed crash can temporarily leave the intents behind - it appears that this is happening in scenarios where it is unexpected.

See for example (internal link): https://github.com/cockroachlabs/support/issues/817

The issue often leads to stuck backups because of #59704 (which we should independently fix).

To Reproduce

Reproducing these issues is part of the problem. So far we only strongly suspect that there are issues, but there is no concrete clue.

Expected behavior
Intents should only be able to build up when

Additional data / screenshots
Recap of the intent resolution behavior:

Intents are generally resolved when EndTxn(commit=true) has finished applying. We will then hit this code path:

cockroach/pkg/kv/kvserver/replica_write.go

Lines 188 to 192 in 218a5a3

	if err := r.store.intentResolver.CleanupTxnIntentsAsync(
	ctx, r.RangeID, propResult.EndTxns, true, /* allowSync */
	); err != nil {
	log.Warningf(ctx, "%v", err)
	}

which calls into this:

cockroach/pkg/kv/kvserver/intentresolver/intent_resolver.go

Lines 545 to 559 in 23263a3

	for i := range endTxns {
	et := &endTxns[i] // copy for goroutine
	if err := ir.runAsyncTask(ctx, allowSyncProcessing, func(ctx context.Context) {
	locked, release := ir.lockInFlightTxnCleanup(ctx, et.Txn.ID)
	if !locked {
	return
	}
	defer release()
	if err := ir.cleanupFinishedTxnIntents(
	ctx, rangeID, et.Txn, et.Poison, nil, /* onComplete */
	); err != nil {
	if ir.every.ShouldLog() {
	log.Warningf(ctx, "failed to cleanup transaction intents: %v", err)
	}
	}

One possibility is that the intent resolver erroneously skips large batches of txn intents because it is already tracking some smaller amount of work on behalf of the same txn, in which case we'd somehow end up in the !locked code path. In practice, this seems very unlikely, since we only invoke this method from the GC queue (which doesn't touch txns younger than 1h) and the EndTxn(commit=true) proposal result itself, of which there is only ever one.

This raises the question why lockInflightTxnCleanup even exists. I think it may either be premature optimization or related to the GC queue code path. The code hasn't changed much since 2017, i.e. it is very old.

I did check that the cleanup intents are properly scoped to a new background-derived context, i.e. we're not accidentally tying these cleanup attempts to the short-lived caller's context. We're also not introducing an overly aggressive timeout, actually to the best of my knowledge in this particular path there isn't a timeout (?) as runAsyncTask derives from context.Background() and we don't add a timeout anywhere.

Also, isn't this code wrong:

cockroach/pkg/internal/client/requestbatcher/batcher.go

Lines 355 to 366 in 8c5253b

	// Update the deadline for the batch if this requests's deadline is later
	// than the current latest.
	rDeadline, rHasDeadline := r.ctx.Deadline()
	// If this is the first request or
	if len(ba.reqs) == 0 ||
	// there are already requests and there is a deadline and
	(len(ba.reqs) > 0 && !ba.sendDeadline.IsZero() &&
	// this request either doesn't have a deadline or has a later deadline,
	(!rHasDeadline || rDeadline.After(ba.sendDeadline))) {
	// set the deadline to this request's deadline.
	ba.sendDeadline = rDeadline
	}

It seems that it would erase ba.sendDeadline if len(ba.Reqs) > 0, ba.sendDeadline > 0, and !rHasDeadline. However, if anything, this would swallow a context cancellation rather than cause a premature one.

Another thing worth noting is that parallel commits prevents clients from seeing the backpressure. When EndTxn(commit=true) runs, it may feel backpressure. However, that request in parallel commits is completely disjoint from the SQL client as it is fired-and-forgotten here:

cockroach/pkg/kv/kvclient/kvcoord/txn_interceptor_committer.go

Lines 431 to 455 in ab0b87a

	// makeTxnCommitExplicitAsync launches an async task that attempts to move the
	// transaction from implicitly committed (STAGING status with all intents
	// written) to explicitly committed (COMMITTED status). It does so by sending a
	// second EndTxnRequest, this time with no InFlightWrites attached.
	func (tc *txnCommitter) makeTxnCommitExplicitAsync(
	ctx context.Context, txn *roachpb.Transaction, lockSpans []roachpb.Span, canFwdRTS bool,
	) {
	// TODO(nvanbenschoten): consider adding tracing for this request.
	// TODO(nvanbenschoten): add a timeout to this request.
	// TODO(nvanbenschoten): consider making this semi-synchronous to
	// backpressure client writes when these start to slow down. This
	// would be similar to what we do for intent resolution.
	log.VEventf(ctx, 2, "making txn commit explicit: %s", txn)
	if err := tc.stopper.RunAsyncTask(
	context.Background(), "txnCommitter: making txn commit explicit", func(ctx context.Context) {
	tc.mu.Lock()
	defer tc.mu.Unlock()
	if err := makeTxnCommitExplicitLocked(ctx, tc.wrapped, txn, lockSpans, canFwdRTS); err != nil {
	log.Errorf(ctx, "making txn commit explicit failed for %s: %v", txn, err)
	}
	},
	); err != nil {
	log.VErrEventf(ctx, 1, "failed to make txn commit explicit: %v", err)
	}
	}

Environment:

• CockroachDB 20.1.8 and above (probably also below)

Additional context
Once we have the separated lock table, it might be much cheaper to be reactive to the problem.

Epic: CRDB-2554

[tbg]

FWIW I was playing around with

create table foo(v string);
insert into foo values('a'), ('b'), ('c'), ('d'), ('e');
set statement_timeout='50s';
insert into foo select * from foo; -- repeat until stmt_timeout hit
select now(), max(crdb_internal.range_stats(start_key)->'intent_count') from crdb_internal.ranges_no_leases;

The last insert leaves around ~600k intents, and despite hitting the statement timeout they clear out within a few minutes (at a couple thousand resolved a second).

[ajwerner]

cockroach/pkg/kv/kvserver/intentresolver/intent_resolver.go

Line 419 in 23263a3

ir.Metrics.IntentResolverAsyncThrottled.Inc(1)

Have we checked this metric? Also, the GC path is going to hit the semaphore limiter. Is it possible that the gc queue somehow isn't resolving intents because of this?

cockroach/pkg/kv/kvserver/intentresolver/intent_resolver.go

Lines 602 to 608 in 23263a3

	return ir.stopper.RunLimitedAsyncTask(
	// If we've successfully launched a background task,
	// dissociate this work from our caller's context and
	// timeout.
	ir.ambientCtx.AnnotateCtx(context.Background()),
	"processing txn intents",
	ir.sem,

[joshimhoff]

Two Qs from your friendly SREs:

1. Have we seen impact worse than BACKUP failures caused by this issue so far, maybe in on-prem? Have we seen DML unavailability or similar?

2. If not, can we imagine this problem causing DML unavailability or similar?

[andreimatei]

I'd test whether we broke something in the cleanup path for dropped pgwire connections. I think a rollback for any ongoing txn is supposed to be happen courtesy of this code, but maybe something rotted.

cockroach/pkg/sql/conn_executor.go

Line 826 in 4086c3e

if err := ex.machine.ApplyWithPayload(ctx, ev, payload); err != nil {

If not, can we imagine this problem causing DML unavailability or similar?

Cleaning up a lot of abandoned locks can be expensive... My understanding is that most reads should be smart in cleaning up many locks at once (but notably the ExportRequests done by backups I understand are dumb and do it one by one), but I guess my answer to the question about whether this can cause "unavailability" is that I'd expect it to cause big problems, yeah.

[joshimhoff]

Hmm. We'll be on the lookout for any prod issues that can be tied back to this issue. Thanks for the info!

[bdarnell]

Another thing worth noting is that parallel commits prevents clients from seeing the backpressure. When EndTxn(commit=true) runs, it may feel backpressure. However, that request in parallel commits is completely disjoint from the SQL client as it is fired-and-forgotten here:

This is the one that raises alarms for me. If there's no backpressure it's easy for things to get out of control (I believe #5219 was the one that introduced backpressure here and it was motivated by the real-world problem in #4925). That's especially true when network latency is high (which is the case for at least one customer experiencing this issue).

This raises the question why lockInflightTxnCleanup even exists. I think it may either be premature optimization or related to the GC queue code path. The code hasn't changed much since 2017, i.e. it is very old.

I think its roots are even older, in that same PR #5219. While it wasn't discussed as much in the linked issues, I don't think it was premature optimization; we were seeing thundering herd problems where many readers would try to push/resolve the same recently-committed transaction.

[tbg]

I think its roots are even older, in that same PR #5219. While it wasn't discussed as much in the linked issues, I don't think it was premature optimization; we were seeing thundering herd problems where many readers would try to push/resolve the same recently-committed transaction.

But at present, there are only two callers to this lock: the GC queue and the txn's own transaction record cleanup intent. The thundering herd wouldn't hit this path. The thundering herd goes here and has its own work avoidance (which uses the same kind of mechanism)

cockroach/pkg/kv/kvserver/intentresolver/intent_resolver.go

Line 494 in 23263a3

pushedTxns, pErr := ir.MaybePushTransactions(ctx, pushTxns, h, pushType, skipIfInFlight)

Either way, this certainly isn't making anything worse.

[tbg]

I'd test whether we broke something in the cleanup path for dropped pgwire connections. I think a rollback for any ongoing txn is supposed to be happen courtesy of this code, but maybe something rotted.

I did ./cockroach demo, connected in a separate shell, ran a large insert and CTRL-C'ed it half-way through. The intent count dropped to zero (gradually). I did the same with a kill -9 of the SQL cli and the behavior was the same.