KAFKA-14830: Illegal state error in transactional producer #17022
Conversation
| @@ -667,14 +667,23 @@ public synchronized void maybeTransitionToErrorState(RuntimeException exception) | |||
| } | |||
|
|
|||
| synchronized void handleFailedBatch(ProducerBatch batch, RuntimeException exception, boolean adjustSequenceNumbers) { | |||
| maybeTransitionToErrorState(exception); | |||
| boolean isStaleBatch = batch.producerId() == producerIdAndEpoch.producerId && batch.producerEpoch() < producerIdAndEpoch.epoch; | |||
There was a problem hiding this comment.
I'm wondering if there are any cases where producerIdAndEpoch could have a race -- or is case there the ID and epoch are the same but the issue still happens
btw -- maybe not super common, but could the overflow case be missed here? (new producer id and epoch resets due to epoch reaching max value)
There was a problem hiding this comment.
Thanks for the feedback @jolshan!
I'm wondering if there are any cases where producerIdAndEpoch could have a race -- or is case there the ID and epoch are the same but the issue still happens
There are a couple of bug reports with logs. I'll dig through those to see if it's happened in the wild.
btw -- maybe not super common, but could the overflow case be missed here? (new producer id and epoch resets due to epoch reaching max value)
Sounds super rare ;)
If an epoch overflowed, wouldn't that just be interpreted as 'not equal' to the last known epoch, and thus trigger the "stale batch" logic? Perhaps my understanding of staleness is too naive?
Thanks!
|
I think the overall approach makes sense. But I would like to see some tests to see if the issue is improved. If so the logging could also give us some more insight. |
|
This PR is being marked as stale since it has not had any activity in 90 days. If you If you are having difficulty finding a reviewer, please reach out on the [mailing list](https://kafka.apache.org/contact). If this PR is no longer valid or desired, please feel free to close it. If no activity occurs in the next 30 days, it will be automatically closed. |
|
Still needed, just lower priority 😞 |
|
cc @k-raina |
@jolshan—The unit tests mimic the use cases that were seen in the wild. What other test cases should we consider? Thanks! |
kirktrue
changed the title
| * Returns {@code true} if the given {@link ProducerBatch} has the same producer ID but a different epoch than the | ||
| * {@link #producerIdAndEpoch cached producer ID and epoch}. | ||
| */ | ||
| synchronized boolean isStaleBatch(ProducerBatch batch) { |
There was a problem hiding this comment.
Does this method need to by synchronized?
Also seems it could be private?
There was a problem hiding this comment.
Does this method need to by
synchronized?
No, not at present.
Also seems it could be
private?
Yes, it could. I might even just inline it in handleFailedBatch() to simplify things.
There was a problem hiding this comment.
I inlined the 'is stale batch' logic into handleFailedBatch(), so these issues are no longer present.
| @@ -737,14 +737,21 @@ public synchronized void maybeTransitionToErrorState(RuntimeException exception) | |||
| } | |||
|
|
|||
| synchronized void handleFailedBatch(ProducerBatch batch, RuntimeException exception, boolean adjustSequenceNumbers) { | |||
| maybeTransitionToErrorState(exception); | |||
| if (!isStaleBatch(batch) && !hasFatalError()) | |||
There was a problem hiding this comment.
Not sure if I understand the !hasFatalError() condition. Can you elaborate? -- I thought we want to call maybeTransitionToErrorState(exception); for any non-stale batch, independent of the current error state?
There was a problem hiding this comment.
Based on the type of the exception pass in, the logic in maybeTransitionToErrorState() may set the internal state to either FATAL_ERROR or ABORTABLE_ERROR. Assuming there's a race condition of failures, it's possible the transaction manager could be set to a FATAL_ERROR state, followed by a call to handleFailedBatch() that then attempts to set the state to ABORTABLE_ERROR. Transitioning from FATAL_ERROR to any other state results in an IllegalStateException.
This is an attempt to prevent that case. I will add another unit test or two to make sure this is a valid concern.
cc @jolshan
There was a problem hiding this comment.
I will add another unit test or two to make sure this is a valid concern.
Turns out I already had a unit test for that: testBatchesReceivedAfterFatalError(). If I remove the !hasFatalError() condition that test fails:
TransactionalId foobar: Invalid transition attempted from state FATAL_ERROR to state ABORTABLE_ERROR
java.lang.IllegalStateException: TransactionalId foobar: Invalid transition attempted from state FATAL_ERROR to state ABORTABLE_ERROR
at org.apache.kafka.clients.producer.internals.TransactionManager.transitionTo(TransactionManager.java:1082)
at org.apache.kafka.clients.producer.internals.TransactionManager.transitionToAbortableError(TransactionManager.java:498)
at org.apache.kafka.clients.producer.internals.TransactionManager.maybeTransitionToErrorState(TransactionManager.java:735)
at org.apache.kafka.clients.producer.internals.TransactionManager.handleFailedBatch(TransactionManager.java:745)
at org.apache.kafka.clients.producer.internals.TransactionManagerTest.testBatchesReceivedAfterFatalError(TransactionManagerTest.java:3987)
at java.base/java.lang.reflect.Method.invoke(Method.java:569)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
| if (!isStaleBatch && !hasFatalError()) | ||
| maybeTransitionToErrorState(exception); |
There was a problem hiding this comment.
Is this comment helpful or distracting?
| if (!isStaleBatch && !hasFatalError()) | |
| maybeTransitionToErrorState(exception); | |
| // It's possible the transaction manager is already in the FATAL_ERROR | |
| // state at this point. Depending on the incoming exception type, | |
| // maybeTransitionToErrorState() could attempt to set the state to | |
| // ABORTABLE_ERROR. For example, suppose a fatal error occurred during a | |
| // transaction, and then moments later one of the batches in that | |
| // transaction failed with a TimeoutException. | |
| // maybeTransitionToErrorState() would then (blindly) attempt to | |
| // transition to ABORTABLE_ERROR, which is invalid and would result | |
| // in an IllegalStateException. | |
| // | |
| // Therefore, only attempt to transition to the FATAL_ERROR state if | |
| // the batch is "fresh" *and* the transaction manager is not already | |
| // in the FATAL_ERROR state. | |
| if (!isStaleBatch && !hasFatalError()) | |
| maybeTransitionToErrorState(exception); |
When the producer's transaction manager receives a notification that an
error has occurred during a transaction, it takes steps to abort the
transaction and reset its internal state.
Users have reported the following case where a producer experiences
timeouts while in a transaction:
TransactionManager(TM) starts with stateREADYand epochset to
0IN_TRANSACTIONABORTING_TRANSACTION0to1andsetting its state to
READYSenderthread, one of the failed batchescalls
handleFailedBatch()handleFailedBatch()sets the TM state toABORTABLE_ERRORwhichis an invalid state transition from
READY, hence the exceptionThis change compares the transaction manager's current epoch (
1)with the batch's epoch (
0). If they're different, the batch isconsidered "stale" and can be ignored (though a
DEBUGmessage islogged).