concurrency_manager: check update_max_ts against a limit

[ekexium]

What is changed and how it works?

Issue Number: close #17916

What's Changed:

concurrency_manager: add safety boundary for max_ts updates

Add `max_ts_limit` to prevent unreasonable timestamp updates. The limit is 
synchronized with PD timestamp periodically. Configure via max_ts_allowance_secs
 and max_ts_sync_interval_secs.

Updates from PD bypass this limit.

Metric:

Benchmark of update_max_ts:
master

update_max_ts           time:   [3.7480 ns 3.7481 ns 3.7483 ns]

This PR

update_max_ts           time:   [4.1907 ns 4.1909 ns 4.1911 ns]

Read operations typically need hundreds of microseconds, so I suppose this regression has little impact.

Related changes

• PR to update pingcap/docs/pingcap/docs-cn:
• Need to cherry-pick to the release branch

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No code

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Release note

Introduce a max-ts checker.
Introduce config items: storage.max-ts-drift-allowance, storage.max-ts-sync-interval, and storage.action-on-invalid-max-ts.

[ekexium]

It could be better to introduce a new error type, but it is inappropriate for cherry-picking to older versions.

[cfzjywxk]

There would be not enough information for the kv requests if panic here directly, is there a way to print the related request information?

[ekexium]

Passing context information into the concurrency manager is not feasible. So to print related information will require us to panic in the caller side or upper layers. There are 17 callers currently, even if we address them individually, we cannot guarantee consistent panic handling for future code changes. What do you think?

[cfzjywxk]

One approach is to pass a tracker to the update_max_ts method(or just get it by with_tracker like elsewhere). The tracker contains some execution context information, and if a panic occurs, the related tracker information can be printed for debugging.

[ekexium]

I explored the implementation but adding the required boilerplate code wouldn't be worth it for this error message. Since most cases only need the command type and timestamps, I opted to pass a string instead, which also makes the PR more suitable for cherry-picking to older versions.

[cfzjywxk]

After this change, TiKV's availability state introduces an additional influencing factor: fetching timestamps from PD. If there is a network partition between TiKV and PD leader for a period, the update_max_ts could be rejected continuously, introducing a potential stability risk.

This is still a challenging trade-off between stability risk and correctness risk, difficult to decide.

BTW, if the current TiKV is isolated from the PD leader for a period but communication between regions remains normal, what is TiKV's existing behavior?

[ekexium]

We can implement a failsafe: The max_ts check will be suspended after consecutive TSO fetch failures (defined by time period or failure count) until the limit is updated.

[cfzjywxk]

This configurations need to be changed online.

[ekexium]

Making the sync interval dynamically adjustable would add unnecessary complexity, while I've already made the other two parameters configurable at runtime.

[MyonKeminta]

Why not receiving &str? Passing "...".to_owned() looks potentially introducing additional overhead.

[MyonKeminta]

Ah... I see. Perhaps we can have a enum type like UpdateMaxSource carrying the important fields of that request or operation, and format it into string only when necessary.

[ekexium]

One problem I see is that this approach somewhat breaks a design principle: we impose the knowledge of users or callers on the concurrency manager, by defining the enum. It could bring some performance gains. Do you think it's worth it?

[MyonKeminta]

🤔
How about:

fn update_max_ts(&self, new_ts: TimeStamp, source: impl Display)

So the enum type can be defined outside the concurrency manager module(?)

[MyonKeminta]

And then it doesn't need to be a single type (e.g., CDC can have its source representation in cdc module, while txn related requests can have an enum defined in the tikv module)

[ekexium]

Using the generic arguments seems a good idea.
Will format_args be enough so we don't have to define types everywhere?

[MyonKeminta]

Should we consider the case that PD and TiKV is network-isolated and the limit is not updated in time? How about adding an additional gap according to the duration that has been elapsed since the last successful set_max_ts_limit call? We can first check new_ts > limit as the fast path, and check new_ts > limit + gap then if the former failed, so that the overhead of getting the system time can be avoided in most cases.

[ekexium]

Yeah already added just as your suggestion 😁 I used a different approach that sets a valid lifetime of each limit, which is more strict but also a bit more complex 🤔.
PTAL

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-8.5: #18047.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-7.5: #18049.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-7.1: #18048.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-6.5: #18050.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-8.1: #18051.