raftstore: fix missing pending peers in region heartbeat after split

[hbisheng]

What is changed and how it works?

Issue Number: Close #17992

Since #7672, TiKV has relied on the guarantee that all merge target peers must exist before PD initiates a merge. However, this guarantee was broken in the scenario in #17992, ultimately leading to a panic.

PD uses pending_peers to verify whether all target peers exist before merging[1][2]. Investigations pointed to an issue in TiKV where it incorrectly reported missing pending peers after a split. More specifically, right after a split, TiKV triggers a new peer to upload a heartbeat[3], but at this point, the peer may not have been elected as the leader yet. Before this PR, a non-leader would always set the pending_peers to empty, causing PD to receive an incorrect region state.

Since a non-leader has no knowledge of the progress of other peers, it should consevatively mark all other peers as pending. This fix ensures that PD receives correct pending_peers info, which should prevent the immature merge and avoiding the potential panic.

[1] components/raftstore/src/store/fsm/peer.rs#L4686
[2] schedule/checker/merge_checker.go#L219
[3] schedule/filter/healthy.go#L24

What's Changed:

Fixes an issue where TiKV incorrectly reported missing `pending_peers` after a 
split, causing PD to receive an incorrect region state. This could lead to 
premature merge attempts, violating the guarantee that all target peers must 
exist before merging.

Note: This issue is unlikely to occur in production since PD enforces a split-merge-interval (default: 1h) between split and merge operations. The issue only happens if a region is merged immediately after a split.

Related changes

• PR to update pingcap/docs/pingcap/docs-cn:
• Need to cherry-pick to the release branch

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No code

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Release note

None

[hbisheng]

Possible fixes:

1. Enhance pending_create_peer (introduced in raftstore: handle the race between creating new peer and splitting correctly #8084)
   Using the info in pending_create_peer, we can block the snapshot if a conflicting split is about to happen, or block the split if a conflicting snapshot passes the snapshot check.
2. Leader ensures all merge target peers exist before proposing a merge:
   This might be achieved using an ExtraMessage mechanism. It would allow us to rely on the assumption in raftstore: rely on the all-target-peer-exist guarantee during merging #7672 once again.

I gave up on option 1 because blocking a split after it's committed is non-intuitive and prone to more race conditions. I'm now looking into option 2 to prevent the merge from happening in the first place.

[LykxSassinator]

NIT: it's better to add extra annotations here to specify that the calling of this part will only be executed by a new split peer with already campaigned, who will most likely be elected as the new leader of the region.

[hbisheng]

Added more comment as suggested

[Connor1996]

How about adding an assert here

[hbisheng]

You meant asserting that the peer is not a leader? That should always be the case according to the logic in raft-rs. So yeah I can add an assert here.

[hbisheng]

It might seem a bit unnecessary though because status() was just called a few lines before (on line 2102）

[hbisheng]

Added the assertion as suggested

[overvenus]

Should we also reject PrepareMerge when there is a pending peer to further strengthen the region merge process?

[hbisheng]

Should we also reject PrepareMerge when there is a pending peer to further strengthen the region merge process?

I hoped to do that too but it seems more complex than expected. The PrepareMerge proposal is sent to the merge source, but we actually need to check the pending peer on the merge target.

[hbisheng]

@Connor1996 @overvenus @LykxSassinator PTAL again, thanks!

[LykxSassinator]

LGTM

[Connor1996]

LGTM

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Connor1996, LykxSassinator

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Connor1996,LykxSassinator]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2025-03-06 11:03:28.450698702 +0000 UTC m=+525921.579618438: ☑️ agreed by LykxSassinator.
• 2025-03-07 07:45:00.245707534 +0000 UTC m=+600413.374627272: ☑️ agreed by Connor1996.