kv: disallow GC requests that bump GC threshold and GC expired versions

[nvb]

Related to #55293.

This commit adds a safeguard to GC requests that prevents them from
bumping the GC threshold at the same time that they GC individual MVCC
versions. This was found to be unsafe in #55293 because performing both
of these actions at the same time could lead to a race where a read
request is allowed to evaluate without error while also failing to see
MVCC versions that are concurrently GCed.

This race is possible because foreground traffic consults the in-memory
version of the GC threshold (r.mu.state.GCThreshold), which is updated
after (in handleGCThresholdResult), not atomically with, the application
of the GC request's WriteBatch to the LSM (in ApplyToStateMachine). This
allows a read request to see the effect of a GC on MVCC state without seeing
its effect on the in-memory GC threshold.

The latches acquired by GC quests look like it will help with this race,
but in practice they do not for two reasons:

1. the latches do not protect timestamps below the GC request's batch
   timestamp. This means that they only conflict with concurrent writes,
   but not all concurrent reads.
2. the read could be served off a follower, which could be applying the
   GC request's effect from the raft log. Latches held on the leaseholder
   would have no impact on a follower read.

Thankfully, the GC queue has split these two steps for the past few
releases, at least since 87e85eb, so we do not have a bug today.

The commit also adds a test that reliably exercises the bug with a few
well-placed calls to time.Sleep. The test contains a variant where the
read is performed on the leaseholder and a variant where it is performed
on a follower. Both fail by default. If we switch the GC request to
acquire non-MVCC latches then the leaseholder variant passes, but the
follower read variant still fails.

[cockroach-teamcity]

This change is 

[aayushshah15]

nice test, thanks for writing it.

I have a general question about the way mvcc GC works and I'm likely missing something fundamental. Why do we need to compute per-key gc timestamps inside processReplicatedKeyRange here?

cockroach/pkg/kv/kvserver/gc/gc.go

Lines 371 to 379 in 299abc8

	isNewest := s.curIsNewest()
	if isGarbage(threshold, s.cur, s.next, isNewest) {
	keyBytes := int64(s.cur.Key.EncodedSize())
	batchGCKeysBytes += keyBytes
	haveGarbageForThisKey = true
	gcTimestampForThisKey = s.cur.Key.Timestamp
	info.AffectedVersionsKeyBytes += keyBytes
	info.AffectedVersionsValBytes += int64(len(s.cur.Value))
	}

Looking at MVCCGarbageCollect, why can't we avoid all this and tell it to GC all keys that are lower than the new GC threshold?

Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @aayushshah15 and @nvanbenschoten)

---

pkg/kv/kvserver/replica_test.go, line 8684 at r1 (raw file):

						Store: &StoreTestingKnobs{
							// Disable the GC queue so the test is the only one issuing GC
							// requests.

request*

[nvb]

TFTR!

bors r+

I have a general question about the way mvcc GC works and I'm likely missing something fundamental. Why do we need to compute per-key gc timestamps inside processReplicatedKeyRange here?

I don't think there's a fundamental reason why we do things this way vs. pushing the determination of all of the versions to GC through the GC request. The only real difference I can think of is that keeping the decision in the MVCC GC queue allows it to batch at a finer granularity and more accurately predict + limit the size of a single GC batch to KeyVersionChunkBytes.

Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @aayushshah15)

---

pkg/kv/kvserver/replica_test.go, line 8684 at r1 (raw file):

Previously, aayushshah15 (Aayush Shah) wrote…

request*

I think this should be "requests", no?

[craig]

Build failed (retrying...):

• GitHub CI (Cockroach)

[nvb]

bors r-

[craig]

Canceled.

[nvb]

Under stress:

------- Stdout: -------
=== RUN   TestGCThresholdRacesWithRead/followerRead=true/thresholdFirst=true
    replica_test.go:8797: read won race: header:<>
    replica_test.go:8799:
          Error Trace:  replica_test.go:8799
                              replica_test.go:8813
                              asm_amd64.s:1581
          Error:        Expected value not to be nil.
          Test:         TestGCThresholdRacesWithRead/followerRead=true/thresholdFirst=true
        --- FAIL: TestGCThresholdRacesWithRead/followerRead=true/thresholdFirst=true (1.25s)

I wonder if this found a real bug.

[nvb]

I'm actually able to hit this test failure under stress even in the /followerRead=false/thresholdFirst=true case. So all four variants are flaky.

I dug into what's going wrong and it appears that GC is broken even when we bump the GC threshold in a separate request from when we GC old MVCC versions. The reason for this is because of the incorrect latching that we noticed in #55293 combined with the lazy LSM snapshot we capture during request evaluation discussed in #55461. This can lead to races like the following:

sequenceDiagram
    participant Reader
    participant Replica
    participant GC Requests
    participant MVCC GC Queue
    Reader->>Replica: acquire latches
    Reader->>Replica: checkTSAboveGCThresholdRLocked
    Replica->>Reader: clear to proceed
    MVCC GC Queue->>GC Requests: bump GC threshold
    GC Requests->>Replica: acquire latches
    GC Requests->>Replica: bump GC threshold
    GC Requests->>MVCC GC Queue: success
    MVCC GC Queue->>GC Requests: GC expired MVCC version
    GC Requests->>Replica: acquire latches
    GC Requests->>Replica: GC expired MVCC version
    GC Requests->>MVCC GC Queue: success
    Reader->>Replica: lazily capture LSM snapshot
    Reader->>Reader: evaluate using snapshot, fail to observe version

Loading

The fact that the read request and the second GC request were able to both evaluate concurrently is due to the incorrect latching. However, as discussed above, correcting the latching is insufficient to fix this bug for follower reads. We can't rely on latching to solve this problem, because the GC request's latches are only acquired on the leaseholder. The real fix is to acquire the LSM snapshot eagerly (#55461), before checking the GC threshold, to ensure that the in-memory GC threshold we check is always equal to or greater than the corresponding persistent GC threshold present in the LSM snapshot that we operate over. So to fix this bug, we essentially need to address #55293, which promotes that performance issue into a correctness issue.

Note that this would fix the thresholdFirst=true variants, but it would still not fix the thresholdFirst=false variants. To fix those cases, we need to move the call to handleGCThresholdResult from after LSM application (a "post-apply" side effect) to before LSM application (a "pre-apply" side effect). We also need to make sure we get this right during Raft snapshot application. For now, it seems safer to continue with the 2-phase protocol.

@aayushshah15 let me know whether this all makes sense to you. If so, I think I'll just merge this PR with the entire test skipped for now, with a reference to #55293. We can then set one of the goals of #55293 to be fixing and unskipping the thresholdFirst=true variants of this test.

[nvb]

bors r+

[craig]

Build succeeded:

• GitHub CI (Cockroach)