Before this PR: getSortedColumns() has a bug where it concatenates together several iterators which are batches loaded from the database, and to load an element off one of these iterators you first need to check that you still have the locks etc. However, there is a problem when the number of results and so the number of batches is 0: in this case we don’t do a lock check, but we actually need to: it’s possible to have lost your locks (so sweep deleted some stuff) and still get a response of [] to a getSortedColumns call, which is a dirty read. Your transaction will eventually fail, but not immediately - and if you’ve already done some side effect elsewhere in the system based on what you thought was a valid state of the database, the damage lives on.
After this PR:
==COMMIT_MSG==
getSortedColumns() now performs a lock check immediately in the case where the number of results retrieved from the database is 0.
==COMMIT_MSG==
Priority: P1: no direct data corruption per se but can have unexpected, lasting consequences.
Concerns / possible downsides (what feedback would you like?):
I don't like this API (I'd prefer to return an empty iterator that throws the exception when you try and perform hasNext() or next()), but I'm going with consistency with the more "standard" getRowsColumnRange().
Is documentation needed?: No.
Compatibility
Does this PR create any API breaks (e.g. at the Java or HTTP layers) - if so, do we have compatibility?: No
Does this PR change the persisted format of any data - if so, do we have forward and backward compatibility?: No
The code in this PR may be part of a blue-green deploy. Can upgrades from previous versions safely coexist? (Consider restarts of blue or green nodes.): Yes; old versions might still do the dirty read
Does this PR rely on statements being true about other products at a deployment - if so, do we have correct product dependencies on these products (or other ways of verifying that these statements are true)?: No
Does this PR need a schema migration? No
Testing and Correctness
What, if any, assumptions are made about the current state of the world? If they change over time, how will we find out?: Nothing in particular
What was existing testing like? What have you done to improve it?: Added a test for the specific case
If this PR contains complex concurrent or asynchronous code, is it correct? The onus is on the PR writer to demonstrate this.: N/A
If this PR involves acquiring locks or other shared resources, how do we ensure that these are always released?: N/A
Execution
How would I tell this PR works in production? (Metrics, logs, etc.): It's hard to tell. I don't think we need to look out specifically for this case
Has the safety of all log arguments been decided correctly?: N/A
Will this change significantly affect our spending on metrics or logs?: No
How would I tell that this PR does not work in production? (monitors, etc.): N/A
If this PR does not work as expected, how do I fix that state? Would rollback be straightforward?: Rollback
If the above plan is more complex than “recall and rollback”, please tag the support PoC here (if it is the end of the week, tag both the current and next PoC):
Scale
Would this PR be expected to pose a risk at scale? Think of the shopping product at our largest stack.: No
Would this PR be expected to perform a large number of database calls, and/or expensive database calls (e.g., row range scans, concurrent CAS)?: No
Would this PR ever, with time and scale, become the wrong thing to do - and if so, how would we know that we need to do something differently?: I don't think so
Development Process
Where should we start reviewing?: It's small
If this PR is in excess of 500 lines excluding versions lock-files, why does it not make sense to split it?:
Please tag any other people who should be aware of this PR:
@jeremyk-91
@sverma30
@raiju
General
Before this PR: getSortedColumns() has a bug where it concatenates together several iterators which are batches loaded from the database, and to load an element off one of these iterators you first need to check that you still have the locks etc. However, there is a problem when the number of results and so the number of batches is 0: in this case we don’t do a lock check, but we actually need to: it’s possible to have lost your locks (so sweep deleted some stuff) and still get a response of [] to a getSortedColumns call, which is a dirty read. Your transaction will eventually fail, but not immediately - and if you’ve already done some side effect elsewhere in the system based on what you thought was a valid state of the database, the damage lives on.
After this PR:
==COMMIT_MSG== getSortedColumns() now performs a lock check immediately in the case where the number of results retrieved from the database is 0. ==COMMIT_MSG==
Priority: P1: no direct data corruption per se but can have unexpected, lasting consequences.
Concerns / possible downsides (what feedback would you like?):
Is documentation needed?: No.
Compatibility
Does this PR create any API breaks (e.g. at the Java or HTTP layers) - if so, do we have compatibility?: No
Does this PR change the persisted format of any data - if so, do we have forward and backward compatibility?: No
The code in this PR may be part of a blue-green deploy. Can upgrades from previous versions safely coexist? (Consider restarts of blue or green nodes.): Yes; old versions might still do the dirty read
Does this PR rely on statements being true about other products at a deployment - if so, do we have correct product dependencies on these products (or other ways of verifying that these statements are true)?: No
Does this PR need a schema migration? No
Testing and Correctness
What, if any, assumptions are made about the current state of the world? If they change over time, how will we find out?: Nothing in particular
What was existing testing like? What have you done to improve it?: Added a test for the specific case
If this PR contains complex concurrent or asynchronous code, is it correct? The onus is on the PR writer to demonstrate this.: N/A
If this PR involves acquiring locks or other shared resources, how do we ensure that these are always released?: N/A
Execution
How would I tell this PR works in production? (Metrics, logs, etc.): It's hard to tell. I don't think we need to look out specifically for this case
Has the safety of all log arguments been decided correctly?: N/A
Will this change significantly affect our spending on metrics or logs?: No
How would I tell that this PR does not work in production? (monitors, etc.): N/A
If this PR does not work as expected, how do I fix that state? Would rollback be straightforward?: Rollback
If the above plan is more complex than “recall and rollback”, please tag the support PoC here (if it is the end of the week, tag both the current and next PoC):
Scale
Would this PR be expected to pose a risk at scale? Think of the shopping product at our largest stack.: No
Would this PR be expected to perform a large number of database calls, and/or expensive database calls (e.g., row range scans, concurrent CAS)?: No
Would this PR ever, with time and scale, become the wrong thing to do - and if so, how would we know that we need to do something differently?: I don't think so
Development Process
Where should we start reviewing?: It's small
If this PR is in excess of 500 lines excluding versions lock-files, why does it not make sense to split it?:
Please tag any other people who should be aware of this PR: @jeremyk-91 @sverma30 @raiju