atomicity is violated if the first operation in a RW Transaction fails

[mr-salty]

Given the following example (pseudocode, we should write an actual test)

1:  Transaction txn = MakeReadWriteTransaction();
2:  auto result1 = client_->ExecuteDml(txn, "INSERT that will fail (duplicate row)");
3:  auto result2 = client_->ExecuteDml(txn, "INSERT that will succeed");
4:  auto commit_result = client_->Commit(txn, {});

In our client library, although the first ExecuteDml fails, the second succeeds, as does the Commit.
This behavior may be seen as violating the atomicity guarantee - users may expect that the failure of the first ExecuteDml means that the transaction cannot successfully Commit. From http://goto.google.com/spanner-txns#atomicity-consistency-durability

In addition to the Isolation property, Spanner provides Atomicity (all writes must succeed in order for the transaction to commit; if one or more writes within the transaction fail, the entire transaction fails), [...]

The reason our client library behaves this way is because we defer Transaction begin until the first operation that uses the transaction as an optimization. If the first operation on a Transaction is a write (DML) that fails, the Spanner backend does not actually begin the transaction or return one in the response, the C++ Transaction object remains in its initial state; assuming all subsequent DML operations succeed, the Commit will also succeed.

[devjgm]

Could we solve this by changing the implementation within the first ExecuteDml call (line 2 above) such that if the RPC fails to create a new transaction for us, then we assign some sentinel value to txn to indicate "FailedBegin", which would allow us to know that all future operations with txn should also fail? Would that fix this issue?

[mr-salty]

Updates from the team discussion:

• We can't easily propagate errors because of subtleties involving constraint vs non-constraint errors (BTW I do not see these terms used in any external spanner documentation)
• Changing the Spanner API to return a transaction even when an operation fails would solve the problem, but is probably not feasible, especially not in the short term.
• Always explicitly calling BeginTransaction would solve the problem, at the expense of losing the performance optimization we get from "piggybacking" the begin on another operation.
• Although we cannot propagate errors in general due to the first bullet point, we can mark the transaction as "bad" if BeginTransaction fails, and cause all subsequent operations using that transaction to fail.

As a first step, we plan to implement support for marking a transaction "bad" and checking the status before using the transaction. These changes should be mostly or completely internal and not user visible.

[mr-salty]

pseudocode for a method to avoid incurring the extra BeginTransaction call in the case where the first operation succeeds.
The code proceeds as the existing code does, unless the first operation fails. In that case we make an explicit BeginTransaction call, marking the transaction "bad" if it fails, or otherwise re-doing the first operation using the transaction ID we obtained.

// ExecuteSqlImpl is an example, this applies to all spanner operations:
ExecuteSqlImpl(TransactionSelector& s, [...]) {
  // The initial part is the same as the existing code.
  // If the transaction has not yet been started then `s.has_begin()` is true.
  ExecuteSqlRequest req;
  *req.mutable_transaction() = s;
  response = stub->ExecuteSql(req);
  if (s.has_begin())
    if (response contains a transaction ID) {
      // same as existing code; save the transaction id from the response
      s.set_id(id);
    } else {
      // explicitly call BeginTransaction then re-do the operation
      BeginTransactionRequest begin_req;
      begin_req.set_options(s.begin());
      begin_result = stub->BeginTransaction(begin_req);
      if (begin_result.ok()) {
        s.set_id(begin_result->id());
        *req.mutable_transaction() = s;
        response = stub->ExecuteSql(req);
      } else {
        // begin transaction failed; all hope is lost
        s.mark_as_bad();
      }
    }
  }
  ...
}

[mr-salty]

as discussed @devbww is going to start with the "mark transaction bad and propagate" piece.

[devbww]

Just to fill out the example a little, the ...

  *req.mutable_transaction() = s;

section would need to be preceded by something like ...

  if (s.is_bad()) {
    // begin transaction failed; all hope is lost
    ...
  }

where the ... part is similar to the other "all hope is lost" case.