use Context's properly to stop executing when a request is canceled

[woodsaj]

• The ctx was already being passed between the different methods
  within the query pipeline, but the context was never being inspected
  to see if it had been canceled. This commit fixes that.
• Now when an error occurs, whether that error is local or on a remote
  peer, the request is immediately canceled.
• if the client disconnects before a response is returned (whether
  that is due to a timeout or the client canceling the request), that
  cancelation will propagate throught and abort any work.

[Dieterbe]

i'm not done reviewing yet.
an overall comment at this point, is that we should be consistent in where we call cancel.
e.g. looking at findSeries and getTargets both calling cancel, but also within getTargetsRemote and getTargetsLocal, but not within s.findSeriesLocal and s.findSeriesRemote is weird.

perhaps we should have all helper functions like getTargetsRemote etc bubble up all errors as fast as they can, and leave all the canceling up to the macaron Handlers only, and they would cancel when they get errors bubbled up into them.

not sure yet if that's the best approach, i just want us to be consistent

[Dieterbe]

this would be a bit cleaner if the limiter was factored out like in https://github.com/go-graphite/carbonapi/blob/master/limiter.go btw this is probably my favorite 10 lines of Go code ever.

[Dieterbe]

this comment is not clear enough. in particular we need to clarify how this ties in to the store and the store's own tunables.

perhaps "maximum number of concurrent timeseries reads issued to the store (note that a read of an avg-aggregated series counts as 1 but issues 2 series reads)"

[woodsaj]

This is completely independent of the store. The behaviour is exactly as described, it is a cap on the number of threads used for fetching data on the local node, whether that data comes from the numerous caches or from cassandra.

[woodsaj]

maybe i just need to add that each execution thread handles only 1 series.

[Dieterbe]

that works

[Dieterbe]

actually let's clarify that this limit is per-request

[Dieterbe]

why this deferred cancel? in particular, triggering cancel() when there was no error. is this a safeguard against programming errors (e.g. that we forgot that there may still be workers running that should have exited)?

[woodsaj]

https://godoc.org/golang.org/x/net/context#WithCancel

cancel should always be called otherwise resources will leak. go vet will warn if you dont call cancel with something like

api/dataprocessor.go:135: the cancel function is not used on all paths (possible context leak)

[Dieterbe]

is this error still accurate? seems like we can hit this condition when ctx was canceled during processReadQueue, not due to the CRR being too old.

[woodsaj]

well it is too old in the sense that the CRR outlived the originating "/render" request.

[woodsaj]

It should also be noted that with the default cassandra-omit-read-timeout config, unless the client waits longer than 60seconds for a request to complete (not possible in hosted-metrics as the ingress-controller will timeout after 60seconds), o.omitted will only ever be set for requests that are cancelled (due to timeout or other error)

[Dieterbe]

right. the reason i brought this up is because it seemed useful to separate these 2 cases in the error being logged in the trace, but actually it doesn't seem to matter much so this looks fine.

[Dieterbe]

since ctx is the same for all invocations of query, we don't need to pass it in each time. that'll clean up the diff a bit. (please rebase -i and fixup into b791d24, so that we maintain clean history )

[Dieterbe]

correction: "no need to continue processing the results"

[Dieterbe]

is this an unrelated fix to allow for connection reuse? did you just notice in the code or did you observe a symptom that led you to fixing this?

[woodsaj]

this is just correct behaviour for allowing connection re-use. I noticed it missing so added it.

[woodsaj]

an overall comment at this point, is that we should be consistent in where we call cancel.

That is not possible.
findSeriesRemote and findSeriesLocal execute single goroutines. If an error occurs it is returned immediately to the caller (findSeries) and we can call cancel().
getTargetsRemote and getTargetsLocal generate lots of goroutines. If errors occur they are not returned ot the caller (getTargets) until all goroutines are complete.

[replay]

afaik types can have a function scope, so it might be worth it to declare a type for that response struct instead of redefining it 3 times

[Dieterbe]

an overall comment at this point, is that we should be consistent in where we call cancel.

That is not possible.
findSeriesRemote and findSeriesLocal execute single goroutines. If an error occurs it is returned immediately to the caller (findSeries) and we can call cancel().
getTargetsRemote and getTargetsLocal generate lots of goroutines. If errors occur they are not returned ot the caller (getTargets) until all goroutines are complete.

but we can change getTargetsRemote and getTargets to simply return the err as soon as they hit one, and the caller then calls cancel, canceling all other pending routines
this seems simple and consistent, though one could argue these 2 functions should clean up the goroutines they create themselves instead of letting the context do it.

update: here's one of the go devs sharing a pattern where it is deemed OK for functions to leak goroutines and cleaning them up by calling cancel in the caller : https://rakyll.org/leakingctx/

[replay]

That's cool

[woodsaj]

@Dieterbe I refactored so that getTargetsLocal and getTargetsRemote both return errors to their callers as soon as they happen, allowing the caller to cancel the context

[Dieterbe]

getTargetsLocal still calls cancel in 2 places. wouldn't it make sense to remove those, and add a cancel in Server.getData() after calling getTargetsLocal ?

[woodsaj]

getTargetsLocal still calls cancel in 2 places. wouldn't it make sense to remove those, and add a cancel in Server.getData() after calling getTargetsLocal ?

getTargetsLocal uses its own contextWithCancel, derived from the passed in context.

If we dont call "cancel()" inside the goroutines that are processing a req, then every req will be dispactched before we even start to read the reposnes channel for any errors. If there are 1000 reqs, and the first one returns an error, getTarget() will be called for the other 999 reqs before we notice that the first one failed. Because of the limiting, len(reqs) - getTargetsConcurrency reqs will be processed to completion before we read the responses channel.

[Dieterbe]

since our call graphs are pretty complicated, and with the various places where we call cancel and check the Done channel, it gets especially complicated I think. I'm not sure what's the best way to keep it easy to understand. For now i just created a manual diagram by going over the source. (would be nice if we can generate this)

red underline means calls cancel.
everything in a grey ellipsis is something that checks Done channel and can return early.
seems like there's a few left todo (e.g. findSeriesLocal and everything calling into MetricIndex)

[woodsaj]

i have added the withCancel contexts to metricsIndex and metricsDelete so that requests to peers are immediately canceled if any peer returns an error.

here is a more detailed diagram of the context flow. Each colour represents a different context.
Contexts withCancel are only canceled by the function that creates them and cancelations flow downwards.

[Dieterbe]

is there a specific naming scheme at play here, e.g. why not call this ctx ?

[Dieterbe]

never mind. i see now that ctx is already used

[Dieterbe]

if getTarget() returned early due to a cancel, than we will report an incorrect (and possibly unrealistically low) getTargetDuration here

[Dieterbe]

@woodsaj ^^ ?

[woodsaj]

The metric will correctly reflect the time spent running getTarget().
Is getTargetDuration meant to represent something else?

[Dieterbe]

yes. the metric represents the getting of a target. if getTarget is cancelled due to whatever reason and is not actually getting targets, then we shouldn't report this duration as it does not apply.

[Dieterbe]

generally throughout this new code, cancellations caused by client disconnect, result in non-erroreous returns (typically return nil, nil) and ultimately result in a http 499. i notice an exception to this:
in CassandraStore, omitted is set true both when (A) request can't be served due to saturated resources , as well as (B) when client connection in closed, resulting in SearchTable returning an error as well as marking the trace as failed. since getSeriesCachedStore calls panic when it gets an error from s.BackendStore.Search, doRecover will make getTarget() return an error in this case causing more spans to be marked as failed, which I think is fair for A but not for B. it's also inconsistent since other places don't log errors when they read from Done, in particular there's 2 such places in SearchTable, so depending on when exactly a context is cancelled, the outcome can vary quite a bit (reporting an error or not)

the end result is that executePlan returns an error and a http 500 is reported instead of 499. (and executePlan logs the "error" after calling getTargets)

[woodsaj]

This is ready for review again.

@Dieterbe i have removed the panics and doRecover calls in favour of passing errors. So now, the first error will cause the context to be cancelled triggering all other goroutines to quickly return (without errors).
There are still a few places in the code that panic(), but these are limited to the consolidation package and should not ever be reached. If they do panic, Macaron will catch the panic and return a 500 error to the user (and print the stacktrace in the logs)

[Dieterbe]

i have removed the panics and doRecover calls in favour of passing errors. So now, the first error will cause the context to be cancelled triggering all other goroutines to quickly return (without errors).

I don't think it is necessary to remove the panic-doRecover mechanism to achieve that: whether you bubble up an error through a callchain, or take the fast path of panicing and turning the panic into an error, the result is the same : getTarget returns an error to getTargetsLocal, which can then cancel the goroutintes.
I'm open for a discussion about removing the doRecover-fast-path (as I think you're generally not a fan of it) but AFAICT this is an issue that is separate from the requirements of this PR, so i suggest to do it in a separate ticket.

There are still a few places in the code that panic(), but these are limited to the consolidation package and should not ever be reached.

there's many, many more. in particular the ones in api/dataprocessor.go and in mdata stand out, because many of those are in the code called by getTarget.

r 'panic\(' | rv cmd | rv vendor | rv test.go
consolidation/consolidation.go:	panic(fmt.Sprintf("Consolidator.String(): unknown consolidator %d", c))
consolidation/consolidation.go:		panic("cannot get an archive for no consolidation")
consolidation/consolidation.go:		panic("avg consolidator has no matching Archive(). you need sum and cnt")
consolidation/consolidation.go:	panic(fmt.Sprintf("Consolidator.Archive(): unknown consolidator %q", c))
mdata/aggregator.go:		panic("NewAggregator called without aggregations. this should never happen")
mdata/aggregator.go:		panic("aggregator: boundary < agg.currentBoundary. ts > lastSeen should already have been asserted")
mdata/store_cassandra.go:		panic(fmt.Sprintf("Chunk span invalid: %d", span))
mdata/aggmetric.go:				panic("cannot get an archive for no consolidation")
mdata/aggmetric.go:				panic("avg consolidator has no matching Archive(). you need sum and cnt")
mdata/aggmetric.go:				panic(fmt.Sprintf("internal error: no such consolidator %q with span %d", consolidator, aggSpan))
mdata/aggmetric.go:		panic(fmt.Sprintf("aggmetric %s queried for chunk %d out of %d chunks", a.Key, pos, len(a.Chunks)))
mdata/aggmetric.go:				panic("cannot get an archive for no consolidation")
mdata/aggmetric.go:				panic("avg consolidator has no matching Archive(). you need sum and cnt")
mdata/aggmetric.go:			panic(fmt.Sprintf("AggMetric.GetAggregated(): unknown consolidator %q", consolidator))
mdata/aggmetric.go:	panic(fmt.Sprintf("GetAggregated called with unknown aggSpan %d", aggSpan))
mdata/aggmetric.go:		panic("invalid request. to must > from")
mdata/aggmetric.go:			panic(fmt.Sprintf("FATAL ERROR: this should never happen. Pushing initial value <%d,%f> to new chunk at pos 0 failed: %q", ts, val, err))
mdata/aggmetric.go:				panic(fmt.Sprintf("FATAL ERROR: this should never happen. Pushing initial value <%d,%f> to new chunk at pos %d failed: %q", ts, val, a.CurrentChunkPos, err))
mdata/aggmetric.go:				panic(fmt.Sprintf("FATAL ERROR: this should never happen. Pushing initial value <%d,%f> to new chunk at pos %d failed: %q", ts, val, a.CurrentChunkPos, err))
batch/aggregator.go:		panic("avg() called in aggregator with 0 terms")
batch/aggregator.go:		panic("last() called in aggregator with 0 terms")
batch/aggregator.go:		panic("min() called in aggregator with 0 terms")
batch/aggregator.go:		panic("max() called in aggregator with 0 terms")
stats/registry.go:		panic(fmt.Sprintf(errFmtMetricExists, name, existing))
expr/parse.go:		panic("arg list should start with paren. calling code should have asserted this")
expr/parse.go:		panic("string should start with open quote. calling code should have asserted this")
api/dataprocessor.go:		panic(fmt.Errorf("divide of a series with len %d by a series with len %d", len(pointsA), len(pointsB)))

Macaron will catch the panic and return a 500 error to the user (and print the stacktrace in the logs)

since s.getTargetsLocal() is run in separate goroutines, macaron doesn't have the ability to catch them and handle them cleanly. If you remove the doRecover , many of these problems will result in MT crashing, which is bad.

[woodsaj]

Ill re-add the doRecover back in to catch the remaining panics that can be thrown inside the getTarget() goroutine. But the refactor to use errors instead of calling panic going to stay. It is well established that panics should be avoided whenever possible.

https://golang.org/doc/effective_go.html#errors
https://dave.cheney.net/2012/01/18/why-go-gets-exceptions-right

[Dieterbe]

It is well established that panics should be avoided whenever possible.

and yet, the doRecover mechanism is also an established practice.
You can find this mechanism in plenty of open source projects (e.g. youtube's vitess, bosun, ...), and even the standard library (text/template package)
it is documented at https://github.com/golang/go/wiki/PanicAndRecover

By convention, no explicit panic() should be allowed to cross a package boundary. Indicating error conditions to callers should be done by returning error value. Within a package, however, especially if there are deeply nested calls to non-exported functions, it can be useful (and improve readability) to use panic to indicate error conditions which should be translated into error for the calling function.

that is exactly the use case we use it for. If anything, the thing we're doing improperly here, according to this document, is that we use it across package boundaries.

I may not agree with your reasons, but I am OK with migrating away from this approach though.
the main reasons in my view are:

• supposed to be within 1 package, but we don't have significant stack depth within only the api package
• it will make the code a bit simpler to reason about (albeit potentially more verbose when all is said and done, but that's a worthy trade-off), especially for newcomers.

I have just pushed 3 commits to clean things up a bit, please let me know what you think.

[Dieterbe]

If you approve of the 3 commits I've pushed, and you can address the one remark that's still pending, then I think this is good to go. (don't worry about the conflicts, i can resolve them when i merge)

[woodsaj]

LGTM

[woodsaj]

But what if there is a problem that causes requests to spend too long in getTargets when a context is canceled. We would lose visibility into the problem. GetTargets does a lot of things, I don't think it is a good measure of anything other then how long getTarget runs for.

…

On Dec 5, 2017 9:52 PM, "Dieter Plaetinck" ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In api/dataprocessor.go <#728 (comment)>: > if err != nil { tags.Error.Set(span, true) - errorsChan <- err + cancel() // cancel all other requests. + responses <- getTargetsResp{nil, err} } else { getTargetDuration.Value(time.Now().Sub(pre)) yes. the metric represents the getting of a target. if getTarget is cancelled due to whatever reason and is not actually getting targets, then we shouldn't report this duration as it does not apply. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#728 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AIBnYAunrvvD8bH8qkwqvge0PLWwAQUTks5s9UqSgaJpZM4PX0Qi> .

[Dieterbe]

ok that works for me