kv: DeleteRange anomaly at SNAPSHOT

[tbg]

TestTxnDBLostUpdateAnomaly_DeleteRange currently fails with variations of

iso=[SNAPSHOT SNAPSHOT SNAPSHOT], pri=[3 2 1]
I1.1(A)[1] C1.1 DR3.1(A-C) R2.1(A)[1] C3.1 W2.1(B-A)[1] C2.1

and

iso=[SNAPSHOT SNAPSHOT SNAPSHOT], pri=[2 3 1]
I1.1(A)[1] C1.1 R2.1(A)[1] DR3.1(A-C) W2.1(B-A)[1] C3.1 C2.1

In the first

• the value A=1 is written and committed
• transaction 3 deletes A-C (which means leaving an intent on A and
  populating the write timestamp cache interval A-C.
• transaction 2 pushes the intent on A and reads A=1.
  The write timestamp cache entry on A isn't updated properly in the process
  (which is an unrelated issue that likely incurs anomalies).
• transaction 2 writes B=1, commits.
  This is the anomaly: logically, there is DeleteRange intent sitting there
  with a higher timestamp, so this should be a write-write conflict. But there
  isn't an actual intent there (since the key was previously vacant, just like
  the countably infinite rest of vacant keys around it).
• transaction 3 commits (at its higher timestamp), so now A=,
  but note that we still have B=1 (written by transaction 2).

Note that this example should fail in the same way with only transaction 3 at
SNAPSHOT isolation.

The one obvious fix that comes to mind is to "somehow" push the whole range
entry in the timestamp cache forward along with the push of one of its intents.
However, that seems brittle and may not reliably be possible since the
timestamp cache's current implementation freely splits up its intervals as new
entries are added.

In the second one, the read of A and the range deletion are interchanged:

iso=[SNAPSHOT SNAPSHOT SNAPSHOT], pri=[2 3 1]
I1.1(A)[1] C1.1 R2.1(A)[1] DR3.1(A-C) W2.1(B-A)[1] C3.1 C2.1

In other words:

• write and commit A=1 as before
• txn2 reads A=1
• txn3 deletes A-C (so ts(txn3) > ts(txn2))
• txn2 writes B=1 (pushing its timestamp due to tsCache entry on A-C); now
  again ts(txn3) < ts(txn2)
• both commit and the visible values are A=, B=1; we've again lost txn3's
  deletion of B.

This seems a little less anomalous than the above since essentially what
happens is that txn2 has write skew: It reads a stale value of A and writes
it somewhere, except that this "somewhere" would be a write-write conflict in
most monolithic databases.

See #6227 for the PR that introduced these tests.

[tbg]

via @bdarnell:

For the DeleteRange anomaly, what if we marked intents laid down by commands that also update the timestamp cache (just DeleteRange?) as unpushable, so the intent would never move to a timestamp inconsistent with the cache? I guess that would be equivalent to making all transactions containing DeleteRange SSI instead of SI. That seems easier than trying to update the timestamp cache when a transaction is pushed.

Yes, putting a flag on the intents is one option (it's a good one in the sense that it wouldn't interfere with anything that isn't a DeleteRange but has the downside of a downstream Raft proto change and feeling pretty arbitrary for this special case).

Making txns with a DeleteRange SSI seems easier but also complicates the isolation story (it would leak to the user and the behaviour is weird). Also, switching isolations half-way through a transaction is a bit sketchy (though it's "probably" fine in that direction).

I'm still hoping that there's a solution which solves this at the tsCache level - if we push intents, we also ought to be doing something to the write timestamp cache. That cache is usually very small, and since it's only used for range writes, maybe we can get away with updating the whole range on a Push. That'd be more straightforward to understand (since the timestamp cache is what prevents this type of anomaly when there isn't a push, at SERIALIZABLE), but I haven't thought about it much yet.

[tbg]

Unfortunately, this really puts us in a bind. I realized that it's not really
about the intent laid down by the DeleteRange itself. Consider the same history
as above, but we don't do a DelRange[a,c) but instead two operations,
Del(a) and DelRange[a\x00, c). Then pushing the intent on a (which could
even be on a different Range than [a\x00, c) would have to have some effect
on what's known about key c. In other words, when it comes to the point where
we have to salvage integrity on the Push, we've already lost.

Upgrading the transaction from SNAPSHOT to SERIALIZABLE isn't an option: We
would have to unconditionally upgrade whenever we push any SNAPSHOT
transaction, at which point we might as well abolish SNAPSHOT. On top of it
being weird for a client to think that they are running at SNAPSHOT when they
aren't. Also, not being able to rely on a transaction which starts SNAPSHOT to
remain it might limit what we can do under contention (though I don't have a
specific example).

Disallowing DeleteRange in SNAPSHOT could work, but it forces a bunch of
special-casing in ./sql. It's not really my call to make, but DelRange is
(already) used in some fast paths which would have to be special-cased for
SNAPSHOT and use a way worse implementation instead. Again, this wouldn't be
transparent to the user.

Accepting the anomaly as part of our SNAPSHOT isolation: No. The effects of
this anomaly, on top of being untypical of SNAPSHOT implementations, can't
really be predicted (and would likely easily confuse the SQL layer as well).

There is another option to be explored, which is that of storing Range intents
not on the actual keys in the range (which is really the problem here) but in a
separate data structure (which would have to be persisted, but may have to be
cached in memory for easier access - it would usually be empty, seeing that
DeleteRange is our only such operation). Introducing that could probably be set
up in a way that isn't more expensive (except when the majority of deletions
are empty ranges), saving work when many keys are affected.

That's a more involved change, of course, but maybe that's what it takes.
Curious what everyone else's opinions/ideas are.

[spencerkimball]

@tschottdorf A less involved change would be to mark in a snapshot txn if the txn itself involved a delete range. If yes, and the timestamp was advanced, it would have to restart.

[spencerkimball]

I gave the implementation a shot. Hate adding flags to the Transaction record, but this fix is very simple and works even for your more insidious case of Del(a) and DelRange[a\x00, c).