kvserver: check GC threshold after acquiring a storage snapshot

[aayushshah15]

Previously, we would check if a given read could proceed with execution
before we acquired a snapshot of the storage engine state. In particular, we
would check the replica's in-memory GC threshold before the state of the engine
had been pinned.

This meant that the following scenario was possible:

1. Request comes in, checks the replica's in-memory GC threshold and determines
   that it is safe to proceed.
2. A pair of GC requests bump the GC threshold and garbage-collect the expired data.
3. The read acquires a snapshot of the storage engine state.
4. The read continues with its execution and sees an incorrect result.

This commit makes it such that we now check the GC threshold after we acquire a
snapshot of the storage engine state.

NB: Note that this commit only fixes our current model of issuing GCRequests
-- which is that we first issue a GCRequest that simply bumps the GC threshold
and then issue another GCRequest that actually performs the garbage collection.
If a single GCRequest were to do both of these things, we'd still have an issue
with reads potentially seeing incorrect results since, currently, the in-memory
GC threshold is bumped as a "post-apply" side effect that takes effect after
the expired data has already been garbage collected. This will be handled in a
future patch.

Release note: none

Relates to #55293.

[cockroach-teamcity]

This change is 

[aayushshah15]

In the last discussion with @nvanbenschoten, he realized that the fact that this patch moves the lease check to happen after the pebble snapshot was captured is a problem.

This is because the in-memory side effect of lease changes is applied in the "post-apply" stage. Consider the following scenario:

1. A reader comes in, acquires a pebble iterator (which now happens before the lease check)
2. the lease gets transferred away to some other node, which accepts a few writes
3. the lease gets transferred back to the reader's node, which means that the lease check will pass for the reader
4. boom -- reader serves results off of a stale pebble snapshot

[aayushshah15]

Next steps:

This means that we need to split checkExecutionCanProceed into two steps -- one that happens before the storage engine snapshot is captured, and another that happens after. The lease check needs to happen before the storage engine snapshot is captured, because of the hazard described above, while the GC threshold needs to be checked after the storage snapshot is captured, which was the original intent of this PR.

This also means that we will now be splitting the single Replica.mu acquisition (which currently happens just once in checkExecutionCanProceed()) into two. This warrants some validation to ensure that we're not regressing on performance.

[aayushshah15]

I ran kv95 with the following repro steps:

rp destroy $CLUSTER
rp create $CLUSTER --nodes=6 --lifetime=3h --gce-machine-type=n1-standard-32
for i in {1..5}
do
        rp wipe $CLUSTER
        rp stage $CLUSTER cockroach
        rp start $CLUSTER:1-5
        mkdir -p ../benchlogs/kv95_${DATE}_$CLUSTER
        rp run $CLUSTER:6 -- './cockroach workload run kv --init --tolerate-errors --concurrency=192 --splits=1000 --ramp=1m --duration=5m --read-percent=95 --min-block-bytes=4096 --max-block-bytes=4096 {pgurl:1-5}' 2>&1 | tee ../benchlogs/kv95_${DATE}_$CLUSTER/${i}_kv.log
done

I compared master with the latest revision of this patch, and see the following:

benchstat ../benchlogs/master ../benchlogs/acquire_replica_mu_twice
name  old ops/sec  new ops/sec  delta
.       109k ± 4%    108k ± 1%   ~     (p=0.841 n=5+5)

name  old p50      new p50      delta
.       1.20 ± 0%    1.20 ± 0%   ~     (all equal)

name  old p95      new p95      delta
.       5.80 ± 0%    5.80 ± 0%   ~     (all equal)

name  old p99      new p99      delta
.       11.5 ± 0%    11.5 ± 0%   ~     (all equal)

[aayushshah15]

@nvanbenschoten this is ready for a look.

[nvb]

However, we spoke in person about using more iterations (maybe 25) to confirm that there is no statistically significant impact on kv95.

I'm also curious about the --min-block-bytes=4096 --max-block-bytes=4096. If you haven't run the tests again, consider using the default block size to avoid making these operations too "heavy" and drowning out the potential for lock contention.

Also, consider --gce-machine-type=n2-standard-32 --gce-min-cpu-platform='Intel Ice Lake' to run on a single NUMA node.

Reviewed 4 of 7 files at r1, 4 of 4 files at r3, 1 of 1 files at r4, all commit messages.
Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @arulajmani)

[aayushshah15]

I'd spun up a few runs right after our meeting (so they were running with the same repro steps as listed in #78980 (comment), but for 25 iterations). Here were the results for that:

benchstat ../benchlogs/master ../benchlogs/split_mutex_acq
name  old ops/sec  new ops/sec  delta
.       110k ± 8%    113k ± 6%  +2.81%  (p=0.025 n=25+24)

name  old p50      new p50      delta
.       1.20 ± 0%    1.10 ± 0%  -8.33%  (p=0.000 n=19+24)

name  old p95      new p95      delta
.       5.54 ±10%    5.65 ± 6%    ~     (p=0.225 n=25+24)

name  old p99      new p99      delta
.       11.4 ± 8%    11.0 ± 5%  -3.55%  (p=0.002 n=25+23)

I'm spinning up re-runs of these with Ice Lake and without the block size constraints now.

[aayushshah15]

I'm spinning up re-runs of these with Ice Lake and without the block size constraints now.

Here are these numbers:

benchstat ../benchlogs/master ../benchlogs/split_mutexes_acq
name  old ops/sec  new ops/sec  delta
.       228k ± 0%    232k ± 1%  +1.91%  (p=0.000 n=23+24)

name  old p50      new p50      delta
.       0.70 ± 0%    0.70 ± 0%    ~     (all equal)

name  old p95      new p95      delta
.       2.16 ± 3%    2.20 ± 0%  +1.85%  (p=0.001 n=25+25)

name  old p99      new p99      delta
.       5.50 ± 0%    5.50 ± 0%    ~     (all equal)

What do you think @nvanbenschoten?

[nvb]

Am I reading this correctly that we're seeing a speedup with this change? If so, isn't that surprising?

[aayushshah15]

If so, isn't that surprising?

I was wondering if it was because of the changes mentioned in https://cockroachlabs.slack.com/archives/C021WMUML04/p1655549375961439. I rebased and ran both the numbers again off of 5541cf8:

# master -> 5541cf8cc701fee4f9c90de01b5bda826d8d3c24
# split_mutexes_acq -> 5541cf8cc701fee4f9c90de01b5bda826d8d3c24 + this PR

>benchstat ../benchlogs/master ../benchlogs/split_mutexes_acq
name  old ops/sec  new ops/sec  delta
.       228k ± 0%    227k ± 1%  -0.18%  (p=0.030 n=25+25)

name  old p50      new p50      delta
.       0.70 ± 0%    0.70 ± 0%    ~     (all equal)

name  old p95      new p95      delta
.       2.17 ± 3%    2.16 ± 3%    ~     (p=0.551 n=25+25)

name  old p99      new p99      delta
.       5.50 ± 0%    5.50 ± 0%    ~     (all equal)

[nvb]

Thanks for re-running. That's a small enough performance delta to be justified by the improvement here. We may also be able to offset it if we can remove readOnlyCmdMu.

[aayushshah15]

Thanks for taking a look!

bors r+

[craig]

Build succeeded:

• GitHub CI (Cockroach)