Adds exponential backoff to re-spawing new streams for supposedly dead peers #483
Conversation
There was a problem hiding this comment.
We need some mechanisms to prune this new datastructure once peers get disconnected, otherwise it could be a memory leak.
We also should reset the backoff timer after a while. We can track the time when the last request happened, and if we are more than some threshold past that time, then we can reset the timer and just return the base timeout.
backoff.go
Outdated
| if len(b.info) > b.ct { | ||
| b.cleanup() | ||
| } |
There was a problem hiding this comment.
nit: if we have a lot of peers (more than b.ct), then we will end up running b.cleanup() on every call to this function (which requires looping though the entire map), even when there is nothing to cleanup. Perhaps we need a better way to handle this?
For example, if we maintain an additional heap datastructure which is sorted by the expiration time, then at every call to the function we can just pop all the expired entries from the heap one by one and remove them from the map. This would require us to track the explicit expiration time in each backoffHistory, rather than lastTried.
Will leave to @vyzo to decide whether this is necessary.
There was a problem hiding this comment.
Lets see if it is actually a problem in practice
There was a problem hiding this comment.
Actually it might be problematic, lets run a background goroutine that does it periodically (say once a minute).
There was a problem hiding this comment.
Added in a9f4edf
backoff.go
Outdated
| } else if h.duration < MinBackoffDelay { | ||
| h.duration = MinBackoffDelay | ||
| } else if h.duration < MaxBackoffDelay { | ||
| h.duration = time.Duration(BackoffMultiplier * h.duration) |
backoff.go
Outdated
| if len(b.info) > b.ct { | ||
| b.cleanup() | ||
| } |
There was a problem hiding this comment.
Lets see if it is actually a problem in practice
backoff.go
Outdated
| if len(b.info) > b.ct { | ||
| b.cleanup() | ||
| } |
There was a problem hiding this comment.
Actually it might be problematic, lets run a background goroutine that does it periodically (say once a minute).
comm.go
Outdated
| @@ -121,6 +122,16 @@ func (p *PubSub) handleNewPeer(ctx context.Context, pid peer.ID, outgoing <-chan | |||
| } | |||
| } | |||
|
|
|||
| func (p *PubSub) handleNewPeerWithBackoff(ctx context.Context, pid peer.ID, outgoing <-chan *RPC) { | |||
| delay := p.deadPeerBackoff.updateAndGet(pid) | |||
There was a problem hiding this comment.
I think we need to add a failure more if we have backed off too much and simply give up; say we try up to 10 times and then updateAndGet returns an error and we close the channel and forget the peer.
How does that sound?
There was a problem hiding this comment.
maybe 10 is even too much, 3-4 attempts should be enough.
backoff.go
Outdated
| defer b.mu.Unlock() | ||
|
|
||
| h, ok := b.info[id] | ||
| if !ok || time.Since(h.lastTried) > TimeToLive { |
There was a problem hiding this comment.
let's write this if/else sequence with a switch, will be nicer.
backoff.go
Outdated
| } | ||
| } | ||
|
|
||
| h.lastTried = time.Now() |
There was a problem hiding this comment.
let's get the time after checking the max attempts, will avoid the gettimeofday call in that case.
There was a problem hiding this comment.
Please read my reply to the below comment as this part has got changed.
comm.go
Outdated
| delay, valid := p.deadPeerBackoff.updateAndGet(pid) | ||
| if !valid { | ||
| return fmt.Errorf("backoff attempts to %s expired after reaching maximum allowed", pid) | ||
| } |
There was a problem hiding this comment.
let's return the error directly from updateAndGet instead of a bool, makes for simpler code.
There was a problem hiding this comment.
I decoupled updating the backoff history from checking for the number of backoff attempts. Hence now updateAndGet only increments the backoff attempts without returning any boolean or error indicating the maximum attempts reached. Instead, I introduced a separate peerExceededBackoffThreshold method that checks whether the backoff attempts of a peer exceeds the defined threshold. The reasons for this change are:
-
We want to close the channel and forget the peer if the backoff attempts go beyond a threshold. The
updateAndGetis called on a goroutine while themessageschannel andpeersmap are residing on a separategoroutine. So, if we letupdateAndGetreturn a backoff attempt exceeding error and thegoroutinethat it resides on attempts on closing themessageschannel and forgetting peer frompeersmap, it results in a race condition between the twogoroutines, and also the code is vulnerable to panic when thisdeferfunction is executed, as it is trying to close an already closed channel, i.e.,themessageschannel that we closed onupdateAndGet. -
By this decoupling, we invoke
peerExceededBackoffThresholdon the parentgoroutine, hence we give up on backing off if the peer exceeds the backoff threshold rightaway, without opening any channel, spawning any childgoroutineforupdateAndGet. Moreover, the peer is forgotten by the subsequent lines. Hence, no vulnerability for race conditions and less resource allocation-deallocations.
Please let me know how does it sound?
There was a problem hiding this comment.
sounds better than what we had :)
pubsub.go
Outdated
| @@ -683,19 +683,15 @@ func (p *PubSub) handleDeadPeers() { | |||
|
|
|||
| close(ch) | |||
|
|
|||
| if p.host.Network().Connectedness(pid) == network.Connected { | |||
| if p.host.Network().Connectedness(pid) == network.Connected && | |||
| !p.deadPeerBackoff.peerExceededBackoffThreshold(pid) { | |||
There was a problem hiding this comment.
we might want to (debug) log this.
There was a problem hiding this comment.
yes, this looks better and we avoid spawning the goroutine if we are going to stop.
One minor point is that the check/get is not atomic; I would suggest taking the base delay before spawning the goroutine, with an error return if it is execeeded.
Then check the error and log if this is exceeded (debug, no need to spam), and then spawn with the delay we got.
Does that sounds reasonable?
Addresses #482 by implementing an exponential backoff mechanism for re-spawning new streams to peers that are originally supposedly dead.
closes #482