daml
daml copied to clipboard
digital-asset
transparently refresh query store on pruning error
In the DB update case (i.e. internally-stored offsets), if offset FAILED_PRECONDITION, under read committed,
- Begin
- Fetch all offsets for the template ID, including unowned
- Let P = all saved offset parties for template ID
- If request parties ⊇ P, skip all subsequent party-set checks
- Let pruned-P = the transitive closure of
- request parties ∪
- the (signatories ∪ observers) ∩ P of contracts visible to pruned-P
- Likewise, pruned-P ⊇ P simplifies the following checks.
- Delete all contracts of tpid where (pruned-P ∩ P ⊇ (signatories ∪ observers) ∩ P) (all contracts of tpid, if (4) or (6))
- This condition appears redundant, when we could just check whether pruned-P ∩ (signatories ∪ observers) is non-empty. Its purpose is to deal with two race conditions:
- P expanded after (3) (TODO SC not quite)
- contracts were added after (5) that would expand pruned-P
- This condition appears redundant, when we could just check whether pruned-P ∩ (signatories ∪ observers) is non-empty. Its purpose is to deal with two race conditions:
- Compare-and-delete offsets for (template, pruned-P). Deleting offsets unconditionally is not concurrent-safe; we may have inserted new contracts that have not been deleted!
- If compare-and-delete fails for any pruned-P, commit and restart from (1) with pruned-P as the new request parties.
- TODO SC this is not quite good enough
- If compare-and-delete fails for any pruned-P, commit and restart from (1) with pruned-P as the new request parties.
- Commit
- Ensure that there are no DB offsets for (tpid, request parties); if there are, restart from (1)
- TODO SC this is livelock-y, doesn't "monotonically advance time" like all our other concurrent update loops; might be able to drop it. A proper (8i) check should preclude it
- The observation of (tpid, request parties) should now be pruning-clean; re-fill from ACS+txns and proceed as normal
I believe this may complicate some concurrent update scenarios for those updates; still considering them.
Will assign this @S11001001 for now because he already has an ongoing PR for this (ignoring the fact that it has been open for more than two weeks already).
I want to step back a bit and clarify our performance requirements. We have three basic approaches with three levels of complexity:
- Prune the bare minimum slices of the ACS. This is what #13529 moves towards and what is described in this issue description.
- Prune the whole template ID. Whereas party visibility slices overlap (hence all the extra calculation described for (1)), template ID subsets of the contract table never overlap.
- Prune the whole contract table. Obviously the simplest, but with the same implications that resetting the query store entirely would have if the user did it manually.
Keep in mind that query store pruning can happen at unexpected times. It is perfectly possible for a prune to happen on the ledger, many query-store updates and queries to happen successfully, filling more of the contracts table, and then only some time later running into the invalidated offset, triggering the query store pruning.
Each of the following factors suggests we should have more complexity in our pruning approach, i.e. an earlier item in the above list:
- more frequent pruning (@cocreature mentions that we expect 1 day-6 months between ledger prunes, if used at all)
- more parties with different query-endpoint access patterns
- less overlap between parties' contract visibility
- larger ACSes
@ray-roestenburg-da Discussing and determining which of the three approaches in the preceding comment has the right complexity/concurrency tradeoffs.
I implemented approach 2 in https://github.com/digital-asset/daml/pull/17167
