SELECT ... AS OF TIMESTAMP statement with explicit time may break linearizability when TSO is drifting #56809
Labels
affects-6.5
This bug affects the 6.5.x(LTS) versions.
affects-7.1
This bug affects the 7.1.x(LTS) versions.
affects-7.5
This bug affects the 7.5.x(LTS) versions.
affects-8.1
This bug affects the 8.1.x(LTS) versions.
affects-8.4
affects-8.5
This bug affects the 8.5.x(LTS) versions.
report/customer
Customers have encountered this bug.
severity/critical
sig/transaction
SIG:Transaction
type/bug
The issue is confirmed as a bug.
Bug Report
Summary
When user explicitly specifies time in a
SELECT ... AS OF TIMESTAMP
statement to perform stale-read, it's possible that user specifies a time that's much larger than the latest ts that PD has allocated. Users usually don't actually want to read on a future time, but there are some cases that PD's TSO is significantly lagging from the actual physical time. Note that TSO lagging might not always be caused by system time drifts, but may also caused by PD's abnormal writing etcd latency.TiKV doesn't uses the timestamp from stale-read requests to push its
max_ts
(which is used forcommit_ts
calculation in Async Commit / 1PC transactions). However, when retries happens on stale-read requests, TiDB (client-go) usually fallback it to normal leader read mode, without resetting its read_ts. This can cause the retrying request have the manually-specified read ts, but without the stale read flag, and as a result TiKV can use it to pushmax_ts
, and results in a value larger than that PD can allocate after that. This breaks the linearizablility of Async Commit / 1PC transactions.Minimal reproduce step
tso-update-physical-interval="2s"
on PD, which lets PD updates physical every 2 seconds.update
statement:update t set v = v + 1 where id = 1
runs in fair locking mode, and when it encounters write conflict (another transaction committed on this key), the current transaction gets a new forUpdateTS from PD for retrying the statement, and it asserts the new ts from PD must be larger than the previously met conflicting commit record. However this assertion is violated.DataIsNotReady
error, which is a normal and commen error that may happen in stale read scenarios. This will force stale read requests always fallback to leader read mode.pessimistic-txn.max-retry-count=100000
to TiDB's config file to avoid the"pessimistic lock retry limit reached"
error.What is your TiDB version?
v7.5.1
The text was updated successfully, but these errors were encountered: