Re: [HACKERS] Get stuck when dropping a subscription duringsynchronizing table - Mailing list pgsql-hackers

On Mon, May 15, 2017 at 8:02 PM, Kyotaro HORIGUCHI
<horiguchi.kyotaro@lab.ntt.co.jp> wrote:
> Hello,
>
> At Fri, 12 May 2017 17:24:07 +0900, Masahiko Sawada <sawada.mshk@gmail.com> wrote in
<CAD21AoDJihMvdiZv7d_bpMPUK1G379WfxWpeanmJVn1KvEGy0Q@mail.gmail.com>
>> On Fri, May 12, 2017 at 11:24 AM, Masahiko Sawada <sawada.mshk@gmail.com> wrote:
>> > On Thu, May 11, 2017 at 6:16 PM, Petr Jelinek
>> > <petr.jelinek@2ndquadrant.com> wrote:
>> >> On 11/05/17 10:10, Masahiko Sawada wrote:
>> >>> On Thu, May 11, 2017 at 4:06 PM, Michael Paquier
>> >>> <michael.paquier@gmail.com> wrote:
>> >>>> On Wed, May 10, 2017 at 11:57 AM, Masahiko Sawada <sawada.mshk@gmail.com> wrote:
>> >>>>> Barring any objections, I'll add these two issues to open item.
>> >>>>
>> >>>> It seems to me that those open items have not been added yet to the
>> >>>> list. If I am following correctly, they could be defined as follows:
>> >>>> - Dropping subscription may stuck if done during tablesync.
>> >>>> -- Analyze deadlock issues with DROP SUBSCRIPTION and apply worker process.
>> >>
>> >> I think the solution to this is to reintroduce the LWLock that was
>> >> removed and replaced with the exclusive lock on catalog [1]. I am afraid
>> >> that correct way of handling this is to do both LWLock and catalog lock
>> >> (first LWLock under which we kill the workers and then catalog lock so
>> >> that something that prevents launcher from restarting them is held till
>> >> the end of transaction).
>> >
>> > I agree to reintroduce LWLock and to stop logical rep worker first and
>> > then modify catalog. That way we can reduce catalog lock level (maybe
>> > to RowExclusiveLock) so that apply worker can see it. Also I think
>> > that we need to do more things like in order to prevent that we keep
>> > to hold LWLock until end of transaction, because holding LWLock until
>> > end of transaction is not good idea and could be cause of deadlock. So
>> > for example we can commit the transaction in DropSubscription after
>> > cleaned pg_subscription record and all its dependencies and then start
>> > new transaction for the remaining work. Of course we also need to
>> > disallow DROP SUBSCRIPTION being executed in a user transaction
>> > though.
>>
>> Attached two draft patches to solve these issues.
>>
>> Attached 0001 patch reintroduces LogicalRepLauncherLock and makes DROP
>> SUBSCRIPTION keep holding it until commit. To prevent from deadlock
>> possibility, I disallowed DROP SUBSCRIPTION being called in a
>> transaction block. But there might be more sensible solution for this.
>> please give me feedback.
>
> +        * Protect against launcher restarting the worker. This lock will
> +        * be released at commit.
>
> This is wrong. COMMIT doesn't release left-over LWLocks, only
> ABORT does (precisely, it seems intended to fire on ERRORs). So
> with this patch, the second DROP SUBSCRIPTION is stuck on the
> LWLock acquired at the first time. And as Petr said, LWLock with
> such a duration seems bad.

Oh I understood. Thank you for pointing out.

>
> The cause seems to be that workers ignore sigterm on certain
> conditions. One of the choke points is GetSubscription, the other
> is get_subscription_list. I think we can treat the both cases
> without LWLocks.
>
> The attached patch does that.
>
> - heap_close + UnlockRelationOid in get_subscription_list() is
>   equivalent to one heap_close or relation_close but I took seeming
>   symmetricity.
>
> - 0.5 seconds for the sleep in ApplyWorkerMain is quite
>   arbitrary. NAPTIME_PER_CYCLE * 1000 could be used instead.
>
> - NULL MySubscription without SIGTERM might not need to be an
>   ERROR.
>
> Any more thoughts?

I think the above changes can solve this issue but It seems to me that
holding AccessExclusiveLock on pg_subscription by DROP SUBSCRIPTION
until commit could lead another deadlock problem in the future. So I'd
to contrive ways to reduce lock level somehow if possible. For
example, if we change the apply launcher so that it gets the
subscription list only when pg_subscription gets invalid, apply
launcher cannot try to launch the apply worker being stopped. We
invalidate pg_subscription at commit of DROP SUBSCRIPTION and the
apply launcher can get new subscription list which doesn't include the
entry we removed. That way we can reduce lock level to
ShareUpdateExclusiveLock and solve this issue.
Also in your patch, we need to change DROP SUBSCRIPTION as well to
resolve another case I encountered, where DROP SUBSCRIPTION waits for
apply worker while holding a tuple lock on pg_subscription_rel and the
apply worker waits for same tuple on pg_subscription_rel in
SetSubscriptionRelState().

>
>
> FYI, I reproduced the situation by the following steps. This
> effectively reproduced the situation without delay insertion for
> me.
>
> # Creating 5 tables with 100000 rows on the publisher
> create table t1 (a int);
> ...
> create table t5 (a int);
> insert into t1 (select * from generate_series(0, 99999) a);
> ...
> insert into t5 (select * from generate_series(0, 99999) a);
> create publication p1 for table t1, t2, t3, t4, t5;
>
>
> # Subscribe them, wait 1sec, then unsbscribe.
> create table t1 (a int);
> ...
> create table t5 (a int);
> truncate t1, t2, t3, t4, t5; create subscription s1 CONNECTION 'host=/tmp port=5432 dbname=postgres' publication p1;
selectpg_sleep(1); drop subscription s1;
 
>
> Repeated test can be performed by repeatedly enter the last line.
>
>> >>>> -- Avoid orphaned tablesync worker if apply worker exits before
>> >>>> changing its status.
>> >>>
>> >>
>> >> The behavior question I have about this is if sync workers should die
>> >> when apply worker dies (ie they are tied to apply worker) or if they
>> >> should be tied to the subscription.
>> >>
>> >> I guess taking down all the sync workers when apply worker has exited is
>> >> easier to solve. Of course it means that if apply worker restarts in
>> >> middle of table synchronization, the table synchronization will have to
>> >> start from scratch. That being said, in normal operation apply worker
>> >> should only exit/restart if subscription has changed or has been
>> >> dropped/disabled and I think sync workers want to exit/restart in that
>> >> situation as well.
>> >
>> > I agree that sync workers are tied to the apply worker.
>> >
>> >>
>> >> So for example having shmem detach hook for an apply worker (or reusing
>> >> the existing one) that searches for all the other workers for same
>> >> subscription and shuts them down as well sounds like solution to this.
>> >
>> > Seems reasonable solution.

Regards,

--
Masahiko Sawada
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center