Limit rare race condition in topo.Server

[frouioui]

Description

This PR was motivated by what first looked like a flaky test, TestRunFailsToStartTabletManager was failing very often due to either a segfault or a race condition, both on the topo.Server. Turns out that this test is actually exposing a race condition that can only happen when the server is being closed and another goroutine is accessing the topo.Server's connections.

Below are the two traces that were observed when running TestRunFailsToStartTabletManager:

Segmentation fault

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0x11ca08a]


goroutine 58 [running]:
vitess.io/vitess/go/vt/topo.(*Lock).lock(0xc00098c420, {0x2dc5d08, 0xc0006b2030}, 0xc0005332c0, {0x2dbdbe0, 0xc0004a6030}, {0x0?, 0x10?, 0xc000086d40?})
/home/runner/work/vitess/vitess/go/vt/topo/locks.go:187 +0x4ca
vitess.io/vitess/go/vt/topo.(*Server).internalLock(0xc0005332c0, {0x2dc5d40, 0xc00069c4b0}, {0x2dbdbe0, 0xc0004a6030}, {0x26f3105, 0xf}, {0x0, 0x0, 0x0})
/home/runner/work/vitess/vitess/go/vt/topo/locks.go:233 +0x26f
vitess.io/vitess/go/vt/topo.(*Server).LockKeyspace(0xc0005332c0, {0x2dc5d40, 0xc00069c4b0}, {0x26db470, 0x2}, {0x26f3105, 0xf}, {0x0, 0x0, 0x0})
/home/runner/work/vitess/vitess/go/vt/topo/keyspace_lock.go:47 +0xd6
vitess.io/vitess/go/vt/topotools.RebuildKeyspace({0x2dc5d40, 0xc00069c4b0}, {0x2dd75c0, 0xc000749f00}, 0xc0005332c0, {0x26db470, 0x2}, {0xc000749f70, 0x1, 0x1}, ...)
/home/runner/work/vitess/vitess/go/vt/topotools/rebuild_keyspace.go:34 +0xc5
vitess.io/vitess/go/vt/vttablet/tabletmanager.(*TabletManager).rebuildKeyspace(0xc0003fe1e0, {0x2dc5d40, 0xc00069c4b0}, 0xc000197eb0?, {0x26db470, 0x2}, 0x3b9aca00)
/home/runner/work/vitess/vitess/go/vt/vttablet/tabletmanager/tm_init.go:650 +0x22e
created by vitess.io/vitess/go/vt/vttablet/tabletmanager.(*TabletManager).createKeyspaceShard in goroutine 39
/home/runner/work/vitess/vitess/go/vt/vttablet/tabletmanager/tm_init.go:581 +0x590

Race condition

2024-11-03T22:10:32.0591213Z ==================
2024-11-03T22:10:32.0591453Z WARNING: DATA RACE
2024-11-03T22:10:32.0591728Z Read at 0x00c000898000 by goroutine 62:
2024-11-03T22:10:32.0592161Z   vitess.io/vitess/go/vt/topo.(*Server).GetCellInfo()
2024-11-03T22:10:32.0592797Z       /home/runner/work/vitess/vitess/go/vt/topo/cell_info.go:62 +0x65
2024-11-03T22:10:32.0593348Z   vitess.io/vitess/go/vt/topo.(*Server).ConnForCell()
2024-11-03T22:10:32.0594006Z       /home/runner/work/vitess/vitess/go/vt/topo/server.go:275 +0x228
2024-11-03T22:10:32.0594586Z   vitess.io/vitess/go/vt/topo.(*Server).UpdateSrvKeyspace()
2024-11-03T22:10:32.0595255Z       /home/runner/work/vitess/vitess/go/vt/topo/srv_keyspace.go:630 +0x93
2024-11-03T22:10:32.0595900Z   vitess.io/vitess/go/vt/topotools.RebuildKeyspaceLocked.func1()
2024-11-03T22:10:32.0596679Z       /home/runner/work/vitess/vitess/go/vt/topotools/rebuild_keyspace.go:151 +0x132
2024-11-03T22:10:32.0597386Z   vitess.io/vitess/go/vt/topotools.RebuildKeyspaceLocked.gowrap1()
2024-11-03T22:10:32.0598175Z       /home/runner/work/vitess/vitess/go/vt/topotools/rebuild_keyspace.go:154 +0x61
2024-11-03T22:10:32.0598611Z 
2024-11-03T22:10:32.0598772Z Previous write at 0x00c000898000 by goroutine 40:
2024-11-03T22:10:32.0599211Z   vitess.io/vitess/go/vt/topo.(*Server).Close()
2024-11-03T22:10:32.0599995Z       /home/runner/work/vitess/vitess/go/vt/topo/server.go:352 +0x137
2024-11-03T22:10:32.0600567Z   vitess.io/vitess/go/cmd/vttablet/cli.run.deferwrap1()
2024-11-03T22:10:32.0601228Z       /home/runner/work/vitess/vitess/go/cmd/vttablet/cli/cli.go:118 +0x33
2024-11-03T22:10:32.0601725Z   runtime.deferreturn()
2024-11-03T22:10:32.0602228Z       /opt/hostedtoolcache/go/1.23.2/x64/src/runtime/panic.go:605 +0x5d
2024-11-03T22:10:32.0602734Z   github.com/spf13/cobra.(*Command).execute()
2024-11-03T22:10:32.0603378Z       /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:985 +0x10f3
2024-11-03T22:10:32.0603940Z   github.com/spf13/cobra.(*Command).ExecuteC()
2024-11-03T22:10:32.0604586Z       /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x655
2024-11-03T22:10:32.0605134Z   github.com/spf13/cobra.(*Command).Execute()
2024-11-03T22:10:32.0605778Z       /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041 +0x5a9
2024-11-03T22:10:32.0606373Z   github.com/spf13/cobra.(*Command).ExecuteContext()
2024-11-03T22:10:32.0607041Z       /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1034 +0x5a4
2024-11-03T22:10:32.0607913Z   vitess.io/vitess/go/cmd/vttablet/cli.TestRunFailsToStartTabletManager()
2024-11-03T22:10:32.0608706Z       /home/runner/work/vitess/vitess/go/cmd/vttablet/cli/cli_test.go:56 +0x52d
2024-11-03T22:10:32.0609214Z   testing.tRunner()
2024-11-03T22:10:32.0609716Z       /opt/hostedtoolcache/go/1.23.2/x64/src/testing/testing.go:1690 +0x226
2024-11-03T22:10:32.0610206Z   testing.(*T).Run.gowrap1()
2024-11-03T22:10:32.0610726Z       /opt/hostedtoolcache/go/1.23.2/x64/src/testing/testing.go:1743 +0x44
2024-11-03T22:10:32.0611088Z 
2024-11-03T22:10:32.0611209Z Goroutine 62 (running) created at:
2024-11-03T22:10:32.0611657Z   vitess.io/vitess/go/vt/topotools.RebuildKeyspaceLocked()
2024-11-03T22:10:32.0612398Z       /home/runner/work/vitess/vitess/go/vt/topotools/rebuild_keyspace.go:149 +0x884
2024-11-03T22:10:32.0613036Z   vitess.io/vitess/go/vt/topotools.RebuildKeyspace()
2024-11-03T22:10:32.0613740Z       /home/runner/work/vitess/vitess/go/vt/topotools/rebuild_keyspace.go:40 +0x286
2024-11-03T22:10:32.0614521Z   vitess.io/vitess/go/vt/vttablet/tabletmanager.(*TabletManager).rebuildKeyspace()
2024-11-03T22:10:32.0615406Z       /home/runner/work/vitess/vitess/go/vt/vttablet/tabletmanager/tm_init.go:650 +0x3c4
2024-11-03T22:10:32.0616280Z   vitess.io/vitess/go/vt/vttablet/tabletmanager.(*TabletManager).createKeyspaceShard.gowrap2()
2024-11-03T22:10:32.0617211Z       /home/runner/work/vitess/vitess/go/vt/vttablet/tabletmanager/tm_init.go:581 +0x8f
2024-11-03T22:10:32.0617662Z 
2024-11-03T22:10:32.0617786Z Goroutine 40 (running) created at:
2024-11-03T22:10:32.0618107Z   testing.(*T).Run()
2024-11-03T22:10:32.0618611Z       /opt/hostedtoolcache/go/1.23.2/x64/src/testing/testing.go:1743 +0x825
2024-11-03T22:10:32.0619096Z   testing.runTests.func1()
2024-11-03T22:10:32.0619620Z       /opt/hostedtoolcache/go/1.23.2/x64/src/testing/testing.go:2168 +0x85
2024-11-03T22:10:32.0620079Z   testing.tRunner()
2024-11-03T22:10:32.0620573Z       /opt/hostedtoolcache/go/1.23.2/x64/src/testing/testing.go:1690 +0x226
2024-11-03T22:10:32.0621043Z   testing.runTests()
2024-11-03T22:10:32.0621534Z       /opt/hostedtoolcache/go/1.23.2/x64/src/testing/testing.go:2166 +0x8be
2024-11-03T22:10:32.0622169Z   testing.(*M).Run()
2024-11-03T22:10:32.0622659Z       /opt/hostedtoolcache/go/1.23.2/x64/src/testing/testing.go:2034 +0xf17
2024-11-03T22:10:32.0623102Z   main.main()
2024-11-03T22:10:32.0623394Z       _testmain.go:45 +0x164
2024-11-03T22:10:32.0623663Z ==================

I have been through the code and find at least 3 other code paths that can expose a similar race condition too:

vtgate SQL handler -> StreamExecute -> StreamExecutePrimitive -> TryStreamExecute -> VStream -> ExecuteVStream -> startVStream -> stream -> startOneStream -> (go) streamFromTablet -> PickForStreaming -> GetMatchingTablets -> GetCellInfo

vtctld cli -> initSchema -> schemamanager.Run -> executor.Execute -> exec.executeSQL -> exec.executeAlterMigrationThrottle -> exec.ts.UpdateSrvKeyspaceThrottlerConfig -> (go) ts.GetSrvKeyspace -> ts.GetSrvKeyspace -> ts.ConnForCell -> ts.GetCellInfo

vtorc cli -> StartVTOrcDiscovery -> (go) ContinuousDiscovery -> (go) refreshAllTablets -> refreshTabletsUsing -> (go) refreshTabletsInKeyspaceShard -> ts.GetTabletsByShard -> ts.GetTabletsByShardCell -> ts.GetCellInfoNames

Proposed Solutions

I have explored several options to fix this issue:

1. Have a global mutex in topo.Server, locking it whenever we need to Close it or use the connections. Dropped off this idea as it would impact performance negatively, specially for our gRPC servers that use topo.Server a lot and need fast concurrent operations. gRPC is not even affected by such panic/segfault, as when closing the server we first wait for all gRPC connections to close.
2. Create a new method that returns the connection. The method would acquire a lock and release it when returning, we would make a copy of the connection, ensuring the same field wouldn't be accessed twice at the same time. However, this expose another issue: when closing topo.Server we also close the topo connection and set it to nil, but in our implementations of the topo connections we don't check if the topo connection is nil or not before using it. For this reason and for a potential performance impact I gave up this idea.
3. Simply not set the topo.Server fields to nil. This was given up for the same reason (on the topo connection implementation) explained in idea number 2.
4. Have an atomic counter or boolean. Everytime we need to use the connections we would set a boolean to true or increase a counter, the Close method would only proceed when the boolean is set to false or the counter is equal to 0, this would imply we add some sort of timeout to the Close method to "force-close" after a certain time even if the not all usages of the connection are complete. This method would be a bit more invasive and require a decent amount of changes. Given that the impact of this issue is very small and only happens if the binary was going to stop anyway, I opted for option 5 instead.
5. Make sure we check the context we are given before accessing the topo connections. This is something that we are currently not always doing. We cancel the context before calling the Close method on the topo.Server, checking the context before accessing the topo connections should avoid a lot of our issues. I think this is a good first approach, if we observe more panics/segfault in the future we could implement option 4.

This PR implements option 5, making sure we are checking the context every time we need to access the topo connection. It is not a 100% safe solution as some race condition may still happen, but: 1. they're already pretty unlikely, 2. this will safeguard a lot of potential race condition already.

[vitess-bot]

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

• Ensure that the Pull Request has a descriptive title.
• Ensure there is a link to an issue (except for internal cleanup and flaky test fixes), new features should have an RFC that documents use cases and test cases.

Tests

• Bug fixes should have at least one unit or end-to-end test, enhancement and new features should have a sufficient number of tests.

Documentation

• Apply the release notes (needs details) label if users need to know about this change.
• New features should be documented.
• There should be some code comments as to why things are implemented the way they are.
• There should be a comment at the top of each new or modified test to explain what the test does.

New flags

• Is this flag really necessary?
• Flag names must be clear and intuitive, use dashes (-), and have a clear help text.

If a workflow is added or modified:

• Each item in Jobs should be named in order to mark it as required.
• If the workflow needs to be marked as required, the maintainer team must be notified.

Backward compatibility

• Protobuf changes should be wire-compatible.
• Changes to _vt tables and RPCs need to be backward compatible.
• RPC changes should be compatible with vitess-operator
• If a flag is removed, then it should also be removed from vitess-operator and arewefastyet, if used there.
• vtctl command output order should be stable and awk-able.

[codecov]

Codecov Report

Attention: Patch coverage is 41.72662% with 81 lines in your changes missing coverage. Please review.

Project coverage is 67.38%. Comparing base (78f7db2) to head (8797ec7).
Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
go/vt/topo/vschema.go	38.88%	22 Missing ⚠️
go/vt/topo/keyspace.go	42.85%	12 Missing ⚠️
go/vt/topo/external_vitess_cluster.go	26.66%	11 Missing ⚠️
go/vt/topo/cell_info.go	37.50%	10 Missing ⚠️
go/vt/topo/cells_aliases.go	46.66%	8 Missing ⚠️
go/vt/topo/metadata.go	33.33%	8 Missing ⚠️
go/vt/topo/shard.go	46.66%	8 Missing ⚠️
go/vt/topo/locks.go	66.66%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17165      +/-   ##
==========================================
+ Coverage   67.32%   67.38%   +0.06%     
==========================================
  Files        1569     1569              
  Lines      252552   252681     +129     
==========================================
+ Hits       170032   170280     +248     
+ Misses      82520    82401     -119     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[frouioui]

Adding Do Not Merge as I want to re-run the workflows several times before merging this.

[mattlord]

Thanks!

[deepthi]

Nice work! It does seem as though the last commit has started breaking one of the zk2 topo tests.

[frouioui]

It does seem as though the last commit has started breaking one of the zk2 topo tests.

@mattlord and I have seen this test flakes in the past. I will merge this PR as the failure observed on the ZK2 test does not seem to be caused by this PR.