Concurrency issue with block store

[kostko]

The block pruning functionality (activated by returning a RetainHeight from Commit) does not seem to be safe for concurrent use. One example of such a scenario appears to be triggerable when LoadBlock is called on the store.BlockStore, for example this part:

tendermint/store/store.go

Lines 79 to 89 in 8e4c41e

	var blockMeta = bs.LoadBlockMeta(height)
	if blockMeta == nil {
	return nil
	}
	pbb := new(tmproto.Block)
	buf := []byte{}
	for i := 0; i < int(blockMeta.BlockID.PartSetHeader.Total); i++ {
	part := bs.LoadBlockPart(height, i)
	buf = append(buf, part.Bytes...)
	}

If pruning is in progress (concurrently) then bs.LoadBlockPart can return nil as indicated by its documentation:

tendermint/store/store.go

Line 128 in 8e4c41e

// If no part is found for the given height and index, it returns nil.

But since the nil value is not handled correctly this may result in a panic due to a nil dereference.

There seems to be a bs.mtx, but for some reason it is not locked when accessing state via Load* methods. This can result in the state changing while the Load* method is executing, e.g., in the above example the LoadBlockMeta can succeed while the subsequent LoadBlockPart will return nil as the block/part has since been removed.

[erikgrinaker]

One example of such a scenario appears to be triggerable when LoadBlock is called on the store.BlockStore

I've opened #5382 with a fix for this, but I'm going to look for any other cases too before merging it.

It occurred to me that this race can happen even without any block pruning at all, since SaveBlock() saves the block metadata before it saves the block parts - will add a fix for that as well.

There seems to be a bs.mtx, but for some reason it is not locked when accessing state via Load* methods.

The mtx only guards the base and height fields (it is idiomatic Go to document this by placing the guarded fields below the mutex field). The idea is that the database does its own concurrency control, since it can do a better job at it - e.g. with finer lock granularity. Taking out a global write lock e.g. for the duration of PruneBlocks() is too coarse, and would block access to the store for other operations.

[kostko]

Taking out a global write lock e.g. for the duration of PruneBlocks() is too coarse, and would block access to the store for other operations.

That's true, currently it seems to guard base/height updates and batch flushes. So taking it (for reads, to allow concurrent reads) at the beginning of Load* methods, before reading any state, and only releasing it after leaving the method would prevent batches from being flushed (data from being deleted) while any Load* is executing.

The idea is that the database does its own concurrency control, since it can do a better job at it - e.g. with finer lock granularity.

Yeah but you keep some state (base/height) in the store structure (I assume this is to avoid the database overhead) and never use this state in Load* methods. Why not take the RLock in Load* and check that you can actually access the height before blindly trying to fetch it from the database?

I agree that properly handing nil results and reordering inserts (as you do now in #5382) is something that should be done anyway, but the overall design probably also needs a minor refactor.

[erikgrinaker]

Yeah but you keep some state (base/height) in the store structure (I assume this is to avoid the database overhead)

Well, kind of - the key encoding used by the block store is not lexicographically ordered (see #4567), so it's not currently practical to query the database for this information. Otherwise we should just do that instead and rely on the database for all concurrency control.

taking it (for reads, to allow concurrent reads) at the beginning of Load* methods, before reading any state, and only releasing it after leaving the method would prevent batches from being flushed (data from being deleted) while any Load* is executing.

Again, I think this is too coarse. For example, this prevents saving new blocks while loading old blocks, and any read will prevent pruning and saving (even though those reads may be completely unrelated to the blocks being written).

Why not take the RLock in Load* and check that you can actually access the height before blindly trying to fetch it from the database?

In the typical case we're hitting blocks that exist anyway, and otherwise it will always return nil, so why take out unnecessary locks?

The correct way to do this would be to simply use an atomic database transaction while saving and pruning blocks, and similarly use a database transaction with snapshot isolation while reading blocks. However, the current database abstraction allows using databases that don't provide ACID guarantees. I think we should just pick an ACID database and use all of its features, and this is something we're currently discussing, but it's not a priority right now.

[kostko]

Well, kind of - the key encoding used by the block store is not lexicographically ordered (see #4567), so it's not currently practical to query the database for this information.

🤦

Again, I think this is too coarse. For example, this prevents saving new blocks while loading old blocks, and any read will prevent pruning and saving (even though those reads may be completely unrelated to the blocks being written).

Sure that's a good point, I just assumed these operations were fairly quick based on the fact that your current design already has a read/write lock. Now I assume you did profiling and noticed that taking a lock here would actually be highly contended in the usual scenarios? Saving a block is usually not a very frequent operation, maybe during fast sync.

In any case the current design is weird, you have this lock in place which you don't want to use because you're afraid of its overhead. But you don't want to remove it because for some operations you still need it as you can't easily query the database? Which makes it harder to reason about -- when should the lock be taken vs. when we are relying on the database to do concurrency control? At least some comments in this regard would probably be nice.

[erikgrinaker]

The only purpose of the mutex is to protect concurrent access to the base and height fields, as it's not safe to concurrently access struct fields in Go. It has no other meaning. In principle we could have a separate lock per field, but that seems overkill. I'll add a comment for this.

[erikgrinaker]

Added #5383 to improve the overall concurrency control design, it's going to need some design work and there are a few related issues to consider.