andrewjstone
commented
7 years ago @evanmcc I implemented this pretty close to the RFC (along with some other minor code cleanup), and the tests pass. I think though that in order for it to be correct I also need to send the min_commit num in RecoveryResponse messages. The reasoning is that while a recovering node will always recover to at least the min commit, it still needs to know the value in case there is a view change.
One other thing I realized is that I don't think the commit num is actually what we need. We can't actually assume that it's really a "global commit num" anyway as those nodes may not have gotten commit messages for their prepares, so a prepare at op n doesn't imply a commit at n-1. However, that doesn't really matter in the case of this code. What we are trying to do is ensure we transfer the minimum amount of log entries during view change. I believe what we care about tracking is the min_global_prepare log entry.
If a primary got PrepareOK messages from all backups for op n, then during a view change no log entries will need to be transferred. However, if we track the latest commit as n-1 and don't receive any more prepares before a view change we will always be sending 1 entry in DoViewChange and StartView messages unnecessarily.
evanmcc
Additionally add some other protocol fixes/enhancements:
Some notes about the above enhancements:
When there are outstanding uncommitted operations, and a primary timeout occurs resend the prepare instead of a commit message to ensure it eventually commits even if no more new client requests are received.
Track the broadcast in
PrepareRequestsusing the pid of the primary if it wasn't the one to receive the client request, such as after a view change. On commit filter on this pid so that a client reply is not sent from the primary to itself.If a backup receives a Prepare message for the last operation in it's log it sends a PrepareOk so that the primary can commit in case prior PrepareOk messages were dropped.
When becoming a backup, send a PrepareOk message for the last log entry to the primary. This is specified in the paper for view change, but not recovery. For recovery this allows the primary to update it's min_accepted map without having to wait for a new client request which may not come for quite a while. Note that this message can also be dropped, but as it is an optimization it is still safe.
Testing
Add a model of the VR replicas for QC tests
An abstract model of the state of a VR replica set has been created for use in quickcheck tests. The state of all the replicas is compared against the model after each operation to ensure correctness.
The primary idle timeout has been moved from the primary state into the context so that any changes to its configuration can carry across state transitions.
Add a history member to the scheduler that allows us to track messages and operations throughout tests and then only show the failing history. This is especially useful in QC tests when we only want to display the history for the shrunk test.
Fix make-devrel to use the right binary to generate configuration.