Fix mqbc: Cluster FSM must heal before starting Partition FSMs

[kaikulimu]

Today in the Cluster FSM, leader becomes healed upon the CSL commit success of the first leader advisory, where it will initialize the queue key info map on the cluster thread. Near identical logic exists at the follower node.

At the same time, CSL commit callback fires and triggers the onPartitionPrimaryAssignment observer, which jumpstarts the Partition FSM. The Partition FSM will eventually attempt to open FileStore in the partition thread, which will access the queue key info map. There is a slight chance of race condition, so let's fix it.

The fix consists of two parts:

1. We always update the partition information before triggering the corresponding transitions in the Partition FSMs, so that PFSMs always have access to latest info. As a result, the PFSM actions do_storePartitionInfo and do_clearPartitionInfo are removed.
2. We make sure PFSMs are only jumpstarted after queue key info map is initialized. We achieve this by delay calling processPrimaryDetect/processReplicaDetect until initializeQueueKeyInfoMap has completed.

After the fix, we can observe that the events happen in the correct order -- Cluster FSM becomes healed before any Partition FSM can start:

east1            16Dec2025_22:55:29.741 (     6174732288) INFO     *qbc.clusterstatemanager mqbc_clusterstatemanager.cpp:1032 Cluster (itCluster): Committed advisory: [ rId = NULL choice = [ clusterMessage = [ choice = [ leaderAdvisory = [ sequenceNumber = [ electorTerm = 1 sequenceNumber = 1 ] partitions = [ [ partitionId = 0 primaryNodeId = 1 primaryLeaseId = 1 ] [ partitionId = 1 primaryNodeId = 1 primaryLeaseId = 1 ] [ partitionId = 2 primaryNodeId = 1 primaryLeaseId = 1 ] [ partitionId = 3 primaryNodeId = 1 primaryLeaseId = 1 ] ] queues = [ ] ] ] ] ] ], with status 'SUCCESS'
east1            16Dec2025_22:55:29.779 (     6174732288) INFO     *bmqbrkr.mqbc.clusterfsm mqbc_clusterfsm.cpp:93  Cluster FSM on Event 'CSL_CMT_SUCCESS', transition: State 'LDR_HEALING_STG2' =>  State 'LDR_HEALED'
east1            16Dec2025_22:55:29.842 (     6171291648) INFO     *rkr.mqbc.storagemanager mqbc_storagemanager.cpp:508 Cluster (itCluster) Partition [0]: Self Transition to Primary in the Partition FSM.
east1            16Dec2025_22:55:29.848 (     6171291648) INFO     *qbrkr.mqbc.partitionfsm mqbc_partitionfsm.cpp:78  Partition FSM for Partition [0] on Event 'DETECT_SELF_PRIMARY', transition: State 'UNKNOWN' =>  State 'PRIMARY_HEALING_STG1'

[bmq-oss-ci]

Build 3173 of commit f9d52c6 has completed with FAILURE

[dorjesinpo]

Can't we call initializeQueueKeyInfoMap (unconditionally) before any FSM event (and not as FSM event) to avoid any possibility for a race?

[dorjesinpo]

There seems to be the same check in mqbc::StorageUtil::clearPrimaryForPartition already (without logging)

[kaikulimu]

The same check used to be in mqbc::StorageUtil::clearPrimaryForPartition, but I removed it because I want to call this util method during mqbc::StorageManager::processShutdownEventDispatched and mqbc::StorageManager::stop, neither of which has easy access to mqbnet::ClusterNode* primary.

Thus, I moved the check upwards to mqbblp::StorageManager::clearPrimaryForPartitionDispatched. And you reminded me to do the same check inside mqbc::StorageManager::clearPrimaryForPartitionDispatched. Will add.

[dorjesinpo]

Good simplification. Can we make the same for the Cluster FSM?

[kaikulimu]

Yes, similar to Partition FSM, we should have a singleton internal queue to process FSM events, instead of creating a new event queue every time and passing it as FSM args. Will make the change.

[dorjesinpo]

Is there any motivation behind the inDispatcherThread() check other than optimization? Does it fix some race, if so which one?

[kaikulimu]

Before my PR, dispatchEventToPartition was only executed in the cluster dispatcher thread. I extended the method to be possibly executed by either cluster or queue dispatcher thread. I added this inDispatcherThread() check mostly for optimization, and to prevent unexpected logic when the PFSM is enqueueing events -- dispatching an event from queue thread to itself introduces a gap and is prone to race conditions. I did not encounter a specific bug while developing the code, but I was following a similar code change by Alex in #929 in which he did report to fix a race condition. So I would say executing in place is more thread-safe in general.

[dorjesinpo]

why removing this warning? Should it be an assertion?

[kaikulimu]

initializeQueueKeyInfoMap needs to be called exactly once when the Cluster FSM becomes healed for the first time (either here or here), and before Partition FSMs are jumpstarted. If there is a change in leader, Cluster FSM goes through unknown to healed cycle again, but this time initializeQueueKeyInfoMap should not be called. The d_isQueueKeyInfoMapVecInitialized flag prevents the method from being called again. Therefore, we have no need to warn or alarm if we return early -- it simply indicates a change in leader.

[dorjesinpo]

Should mqbnet::ClusterImp::d_selfNodeId be const?

[kaikulimu]

Yes

[kaikulimu]

Changed mqbnet::ClusterImp::d_name to const too

[dorjesinpo]

It looks like e_DETECT_SELF_PRIMARY can be enqueued twice (depending on the race). By StorageManager::initializeQueueKeyInfoMap and by setPrimaryForPartitionDispatched.
If so, this is undesirable.

Same about e_DETECT_SELF_REPLICA

[kaikulimu]

This is an important design decision I made for this PR, and please suggest alternatives if you think there is a better solution. processPrimaryDetect/processReplicaDetect triggers the healing process in Partition FSMs by enqueueing an e_DETECT_SELF_PRIMARY/e_DETECT_SELF_REPLICA event. processPrimaryDetect/processReplicaDetect is called during setPrimaryForPartitionDispatched, which happens whenever we commit a CSL advisory. The first CSL advisory commit transitions us to a healed leader/follower, and at this time we must do initializeQueueKeyInfoMap before jumpstarting the Partition FSMs -- this is the race you reported that I am trying to fix. Therefore, this PR's implementation blocks processPrimaryDetect/processReplicaDetect from being called during setPrimaryForPartitionDispatched if d_isQueueKeyInfoMapVecInitialized is false. Instead, initializeQueueKeyInfoMap calls processPrimaryDetect/processReplicaDetect near the end of the method. Future calls of setPrimaryForPartitionDispatched will not be blocked by d_isQueueKeyInfoMapVecInitialized and thus will trigger the Partition FSMs normally.

[kaikulimu]

Can't we call initializeQueueKeyInfoMap (unconditionally) before any FSM event (and not as FSM event) to avoid any possibility for a race?

initializeQueueKeyInfoMap copies information from the cluster state into d_queueKeyInfoMapVec so that partition threads can access those information in a thread-safe manner. It must be called after Cluster FSM is healed to ensure that the cluster state is up-to-date, and before Partition FSMs attempt to open file store. Hence, we can't really call it before any FSM event.

[bmq-oss-ci]

Build 3180 of commit 038355a has completed with FAILURE