Prioritized locking

[jihoonson]

Part of #4479.

This patch contains only the prioritized locking and is based on #1679. I'll implement fine-grained locking which include acquiring different types of locks depending on the task spec in a follow-up pr.

Highlight changes are

• TaskLock has a TaskLockType and two states of upgraded and revoked.
• TaskLockbox is responsible for managing all TaskLocks including upgraded and revoked ones.
• Lock preemption is based on optimistic locking. It means, lock preemption is not notified to the lock owners immediately. Instead, it is notified when the lock owners try to acquire the same lock again or upgrade the lock. If the lock owners are notified the lock is revoked, they should fail.
• Idempotent lock acquisition is guaranteed only unless the lock is not preempted. Once the lock is preempted, subsequent lock acquisitions or lock upgrade result in failed LockResults.
• Locks are automatically upgraded/downgraded before/after publishing segments in SegmentTransactionalInsertAction.

---

This change is 

[jon-wei]

minor: "tasks don't content" -> "tasks don't contend"

[jihoonson]

Thanks @jon-wei.. I fixed typos.

[jon-wei]

Did an initial pass of the files outside of TaskLockbox, still looking at the changes in TaskLockbox, will do another review pass after that

[jon-wei]

"execlusive" -> "exclusive"

[jon-wei]

"segemtns" -> "segments"

[jon-wei]

I think this could be just called "revoked"

[jihoonson]

Changed.

[jon-wei]

are you planning on updating this TODO within this PR?

[jihoonson]

Ah sorry, I forgot removing it.

[jon-wei]

Did a second pass on all the files, had a few comments.

Generally LGTM, but I think it'd be good if someone more familiar with the existing task management code also takes a look in case I missed stuff.

[jon-wei]

is this TODO implemented already?

[jihoonson]

Sorry. It's already done but didn't remove it.

[jon-wei]

I think you could make SegmentPublishResult.fail() a static object instead of a function that returns a new one

[jihoonson]

I guess the fail SegmentPublishResult is not common because it can happen only when the lock upgrade is failed due to preemption or metadata update is failed. In this case, I think this is better because the instance will be GCed immediately after it is processed while the static instance will be kept until the jvm terminates.

[jon-wei]

Should this use checkTaskLocksUpgraded() instead?

[jihoonson]

Nice catch! Yes it should be. But now, it looks better to check locks first and then upgrade them. checkTaskLocksUpgraded() is not used anymore and I removed it.

[jon-wei]

Does the segment delete need upgraded locks?

[jihoonson]

Good catch! I added lock upgrade here and SegmentMetadataUpdateAction. Additionally, some other actions like SegmentListUsedAction and SegmentListUnusedAction also look to check lock before performing their actions. I'll check and raise a new pr for this issue.

[jon-wei]

maybe call this acquireExclusiveLocks since it always creates exclusive locks

[jihoonson]

Renamed.

[jihoonson]

@jon-wei thanks. I addressed your comments.

[jihoonson]

Would anyone review this please?

[gianm]

Did a partial review. Will pick it back up after seeing what you think about the comments so far.

[gianm]

This line will throw NPE when deserializing existing task locks from the database, since anything created before this patch won't have a "type", and so type.equals cannot work.

I think that means we need some migration code here for how to deal with legacy task locks. Would it make sense to load them as exclusive, upgraded locks? (Since legacy locks were always exclusive and non-preemptible)

[jihoonson]

Good point. Yeah, the lock should be exclusive if type is null.

[gianm]

Exception messages are more useful if you do something like Preconditions.checkNotNull(groupId, "groupId") -- otherwise a caller has to dig through the source to find what check happened on the line.

[jihoonson]

Thanks. Added.

[gianm]

Having two states that interact in very specific ways seems confusing to me. I'm already having a tough time keeping the checks straight. I think it's usually simpler to have a single state enum, maybe in this case with three possible values:

• PREEMPTIBLE
• NONPREEMPTIBLE
• REVOKED

It would help make a couple of salient facts more clear:

• revoked + upgraded is impossible
• REVOKED is a dead-end and cannot be transitioned out of

It would be similar to the design of the "State" enum in QueryLifecycle or DruidStatement or the "Status" enum in KafkaIndexTask.

[jihoonson]

Sounds good, but I removed preemptible/non-preemptible states in the latest patch. Please see #4550 (comment).

[gianm]

Please add null checks here if they are important.

[jihoonson]

Added a default lock type if it's null.

[gianm]

The type of the return can't change, for protocol compatibility reasons. Check out rolling-updates.md -- we allow users to update middleManagers either before or after the overlord and the two versions of code must be able to communicate with each other.

One possible solution could involve adding TaskLock's fields to LockResult, so a LockResult from a new overlord could be deserialized as a TaskLock by an old task (while making sure that the right thing will happen in this case).

It could also involve adding an extra field to LockResult such that a new task could detect that it's talking to an old overlord and act accordingly (the task could know that if the field's not present, it means the overlord is old).

[jihoonson]

Good point. I reverted the return type of LockAcquireAction and LockTryAcquireAction. Also, tested backward compatibility in my local cluster.

[gianm]

There are protocol compatibility concerns here too. Imagine an old middleManager sending a LockAcquireAction with no lockType to a new overlord. Or imagine an old overlord receiving a LockAcquireAction from a new middleManager, and it would ignore the lockType field.

[jihoonson]

Good point. TaskLockType should be EXCLUSIVE if it is null. Tested backward compatibility in my local cluster.

[gianm]

Similar comments to LockAcquireAction.

[jihoonson]

Reverted return type.

[gianm]

interval is unused here, outside of log messages and exceptions. Seems suspicious.

[jihoonson]

Refactored.

[gianm]

This may not work as you intend. I believe lockbox.upgrade(task, interval) only works if the lock interval is exactly interval, but it might not be in this case. For example, HadoopIndexTask acquires locks for a wider interval than its individual segments (it computes an umbrella interval and locks that).

[jihoonson]

lockbox.upgrade() actually works if there is only one lock whose interval contains the given interval. Do you think this makes sense?

[gianm]

It's not consistent with how unlock works so it's a little strange in that regard. I guess it's fine, but the javadocs for the methods lock, unlock, upgrade, and downgrade should describe how this works, since otherwise it will get confusing.

[jihoonson]

Good point, but in the latest patch, I simplified the logic around critical section and removed upgrade/downgrade methods.

[gianm]

Since multiple tasks can obtain the same lock, is this vulnerable to a problem like:

• Task A and B share a lock
• Task A enters a critical section and upgrades the lock
• Task B enters a critical section and upgrades the lock
• Task A downgrades the lock
• Now Task B's lock is downgraded even though it's still in a critical section

[jihoonson]

Good point. I guess Task A and B are subtasks of a task because it's allowed to share an exclusive lock only if they have the same groupId. In this case, upgrade/downgrade must be atomic.

BTW, while I'm looking into this, I realized that the atomic operation in a critical section can be achieved without complicated upgrade and downgrade. So, in the latest patch, I removed them and added a new method doInCriticalSection() to TaskLockBox instead.

doInCriticalSection()method performs a given action with a guarantee that the locks of the task requested the action are not preempted while performing the action. Currently, this is guaranteed by acquiring a ReentrantLock, which means every call to methods of TaskLockBox are blocked until doInCriticalSection() is finished. I think this should be fine because

• Publishing segments should not take a long time.
• Publishing segments won't be frequent even after the fine-grained locking proposed in [Proposal] Background compaction #4479 is implemented. The compaction task will be the one which needs more frequent locking and publishing segments than other task types, but it should be suppressed to not make a big overhead to the cluster.

[gianm]

revokedCopy() would be a better name; revoke() sounds like a verb that would do something. But this method doesn't really do anything, just returns a value.

[jihoonson]

Renamed.

[gianm]

How long are they kept? Could we run out of memory storing them all?

[gianm]

I saw later on that these are kept until unlock is called so it seems OK to me.

[gianm]

How about combining both of these behaviors into the CriticalAction interface? (Or did you want to keep them separate so lambdas could be used?)

[jihoonson]

Yes for using lambdas for simplicity, but I agree this interface looks quite weird. I combined these actions into one CriticalAction and added a builder.

[gianm]

Can you do this in a metadata store transaction? We take advantage of such transactions for other operations that must be atomic, such as segment publishing and kafka offset committing.

See IndexerSQLMetadataStorageConnector.announceHistoricalSegments for an example using connector.retryTransaction.

[jihoonson]

Good point. Fixed.

[gianm]

announceHistoricalSegments is already done inside a metadata store transaction, so does it have to be in a lockbox critical section as well? It's either going to happen, or not happen, so it shouldn't be an issue if a lock preempts this operation in the middle or not.

(However, if it is preempted, the task should promptly exit)

[gianm]

This comment makes me wonder, do we need critical sections at all for locks?

Could the cases that require them all be implemented using metadata store transactions?

[jihoonson]

doInCriticalSection guarantees the lock validation and a critical action are done atomically. I thought the metadata store transactions are used for storing/retrieving segment information to/from the metadata storage, and TaskLockBox is responsible for managing task locks. It means, lock validity should be checked by TaskLockBox.

Do you think locks can be checked inside metadata storage transactions as well? I think it might be possible if all locks are stored in only metadata store not in memory. Also, I wonder why locks are stored in memory as well as metadata store. Is this for performance?

[gianm]

Ah, I see. You're right. I almost forgot that lock checking is important, since for insert-only tasks the design does not depend on lock checking for correctness. But it does matter for mixing insert tasks with reindexing or updating tasks.

Do you think locks can be checked inside metadata storage transactions as well? I think it might be possible if all locks are stored in only metadata store not in memory. Also, I wonder why locks are stored in memory as well as metadata store. Is this for performance?

Hmm, I think it's worth exploring...

The idea behind storing locks in memory was indeed performance. However with the really fat synchronization I'm not sure how much benefit we get beyond storing them solely in the metadata store. I haven't evaluated the performance of metadata-store-only vs. the current memory+metadata system. It would surely make things simpler to do metadata-store-only, all else being equal.

[jihoonson]

Sounds good. I'll do some benchmark in a follow-up pr.

[gianm]

I don't see any code that creates SHARED locks. Are they used?

Should they be used?

[jihoonson]

Yes, they will be created in the next pr.

[gianm]

OK, got it.

[gianm]

thanks @jihoonson!

[himanshug]

@jihoonson I see that this is expected behavior, but is this really ok. So, low priority task can't get the lock even after high priority task has unlocked.
I think, this behavior is creating following problem.

• a kill task was created that acquired the lock.
• a index task came and took same lock , revoking above before kill task even had a chance to run.
• overlord restarted for whatever reason
• kill task would not be given to taskRunner as it can't get lock , index task has it.
• now index task is finished , and unlocked.
• kill task is forever in waiting state because it is not being able to acquire the lock even if no-one has that lock.

[jihoonson]

Hmm, so the intention of the revoked lock is for tasks to know that the acquired lock is no longer valid so the task should fail itself. I guess the real issue might be a wrong task state after the overlord is restarted. Once a kill task gets a lock, its isReady() method should be called already, which means, the kill task is at least in the pending state. i think this state shouldn’t be changed after restart.

[himanshug]

maybe, but given that the high priority task (which caused the revocation) is done, unlocked and gone.. why the low priority task shouldn't be able to get the lock now and do its thing instead of dying?

[himanshug]

I think current behavior makes sense for case ...

1. low priority indexing task1 took lock , started running creating segments.
2. high priority indexing task2 took lock, revoked above, created segments, published them
3. at this point segments created by indexing task1 might be outdated and hence it should not be able to make progress.

[himanshug]

however, this causes potential for task to be stuck in waiting state forever in case of overlord restarts... as task.isReady() will keep on returning false forever due to the revoked lock and TaskQueue will not give it to TaskRunner.

[jihoonson]

I guess there could be a couple of reasons.

1. I guess we don't know exactly what users want. In this example, you might want to kill some segments after the index task is finished, but in the same scenario, some people want to just ignore the kill task and run the index task. Running kill task could be surprising for these people.
2. It's not easy to make the behavior consistent across the tasks of different states. For example, if some locks of a running task are revoked, to make the behavior consistent, the task could be paused for a while until the high priority task releases the lock and continues. I think this could be doable, but will need a lot of work.

[jihoonson]

Oh I missed your last 2 comments. It makes sense too. Maybe we need to figure out why its state has changed after restart and fix it.

[himanshug]

I "think" here is what led to the problem state...

1. a kill task is submitted, TaskQueue called isReady() on it which created a lock in DB for it.
2. above task hasn't started running yet, a index task is submitted over same interval. TaskQueue called isReady() on it which revoked kill task's lock.
3. none of the above tasks are running just yet (because a lot of tasks got submitted at same time and TaskRunner is busy before it gets to assign above tasks to worker)
4. overlord restarted
5. kill task's isReady() now returns false forever and TaskQueue never gives it to TaskRunner
6. index task's isReady() said true, it was run and finished successfully.

I think the problem happens because isReady() doesn't differentiate between not getting a lock and having a revoked lock . Ideally TaskQueue should notice that kill task's lock is revoked and should set its state to failed.

[jihoonson]

Oh, I see. Perhaps this could be related to the lame task state tracking in the overlord. 😭
I'm not sure if it's the best idea but I think we can change the return type of isReady() to some enum value which could be one of READY, NOT_READY, and CANNOT_READY.

[himanshug]

sorry , got sidetracked in some other stuff.

I can't think of a better quick fix so that would be OK I think.