Change and clarify the relationship between Valid(), status() and Seek*() for all iterators. Also fix some bugs

[al13n321]

Before this PR, Iterator/InternalIterator may simultaneously have non-ok status() and Valid() = true. That state means that the last operation failed, but the iterator is nevertheless positioned on some unspecified record. Likely intended uses of that are:

• If some sst files are corrupted, a normal iterator can be used to read the data from files that are not corrupted.
• When using read_tier = kBlockCacheTier, read the data that's in block cache, skipping over the data that is not.

However, this behavior wasn't documented well (and until recently the wiki on github had misleading incorrect information). In the code there's a lot of confusion about the relationship between status() and Valid(), and about whether Seek()/SeekToLast()/etc reset the status or not. There were a number of bugs caused by this confusion, both inside rocksdb and in the code that uses rocksdb (including ours).

This PR changes the convention to:

• If status() is not ok, Valid() always returns false.
• Any seek operation resets status. (Before the PR, it depended on iterator type and on particular error.)

This does sacrifice the two use cases listed above, but @siying said it's ok.

Overview of the changes:

• A commit that adds missing status checks in MergingIterator. This fixes a bug that actually affects us, and we need it fixed. DBIteratorTest.NonBlockingIterationBugRepro explains the scenario.
• Changes to lots of iterator types to make all of them conform to the new convention. Some bug fixes along the way. By far the biggest changes are in DBIter, which is a big messy piece of code; I tried to make it less big and messy but mostly failed.
• A stress-test for DBIter, to gain some confidence that I didn't break it. It does a few million random operations on the iterator, while occasionally modifying the underlying data (like ForwardIterator does) and occasionally returning non-ok status from internal iterator.

To find the iterator types that needed changes I searched for "public .*Iterator" in the code. Here's an overview of all 27 iterator types:

Iterators that didn't need changes:

• status() is always ok(), or Valid() is always false: MemTableIterator, ModelIter, TestIterator, KVIter (2 classes with this name anonymous namespaces), LoggingForwardVectorIterator, VectorIterator, MockTableIterator, EmptyIterator, EmptyInternalIterator.
• Thin wrappers that always pass through Valid() and status(): ArenaWrappedDBIter, TtlIterator, InternalIteratorFromIterator.

Iterators with changes (see inline comments for details):

• DBIter - an overhaul:
  • It used to silently skip corrupted keys (FindParseableKey()), which seems dangerous. This PR makes it just stop immediately after encountering a corrupted key, just like it would for other kinds of corruption. Let me know if there was actually some deeper meaning in this behavior and I should put it back.
  • It had a few code paths silently discarding subiterator's status. The stress test caught a few.
  • The backwards iteration code path was expecting the internal iterator's set of keys to be immutable. It's probably always true in practice at the moment, since ForwardIterator doesn't support backwards iteration, but this PR fixes it anyway. See added DBIteratorTest.ReverseToForwardBug for an example.
  • Some parts of backwards iteration code path even did things like assert(iter_->Valid()) after a seek, which is never a safe assumption.
  • It used to not reset status on seek for some types of errors.
  • Some simplifications and better comments.
  • Some things got more complicated from the added error handling. I'm open to ideas for how to make it nicer.
• MergingIterator - check status after every operation on every subiterator, and in some places assert that valid subiterators have ok status.
• ForwardIterator - changed to the new convention, also slightly simplified.
• ForwardLevelIterator - fixed some bugs and simplified.
• LevelIterator - simplified.
• TwoLevelIterator - changed to the new convention. Also fixed a bug that would make SeekForPrev() sometimes silently ignore errors from first_level_iter_.
• BlockBasedTableIterator - minor changes.
• BlockIter - replaced SetStatus() with Invalidate() to make sure non-ok BlockIter is always invalid.
• PlainTableIterator - some seeks used to not reset status.
• CuckooTableIterator - tiny code cleanup.
• ManagedIterator - fixed some bugs.
• BaseDeltaIterator - changed to the new convention and fixed a bug.
• BlobDBIterator - seeks used to not reset status.
• KeyConvertingIterator - some small change.

[facebook-github-bot]

@al13n321 has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

[facebook-github-bot]

@al13n321 has updated the pull request.

[al13n321]

I think an this return was intended here, because without it the Advance() below would fail an assert.

[al13n321]

Not sure where this came from. Very old code when iterator interface was different? Searching rocksdb code for "AtEnd" and "AtStart" returns no results, so I'm assuming they're not a thing.

[al13n321]

Not particularly nice: Status is 16 bytes, so it's probably faster to return by value (in two registers).

[al13n321]

This made no sense: if status is not ok, it would leave valid_ containing leftovers from previous iterator operations.

[al13n321]

Here, Seek() seeks within the current file, which is set using SetFileIndex() called from the outside. But SeekToFirst() used to work differently and call SetFileIndex(0) for some reason, despite the fact that the caller calls SetFileIndex() before SeekToFirst(), just like it does before Seek(). So I changed SeekToFirst() to work the same way as Seek(). It doesn't affect correctness afaict, just a cleanup.

[facebook-github-bot]

@al13n321 has updated the pull request.

[facebook-github-bot]

@al13n321 has updated the pull request.

[facebook-github-bot]

@al13n321 has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

[siying]

Thank you so much for this change. It's much more complicated than I thought. It's a good job!

I just briefly looked at db_iter.cc. I'm still looking at other files.

[siying]

I don't see where the return value is used.

[siying]

I have no idea removing this statement is correct or not. CC @ajkr

[al13n321]

As far as I understood from comments in range_del_aggregator.h, this method is only an optimization and doesn't affect correctness, and it should be called when the iterator is seeked to an arbitrary position. Here it's seeked to a position very close to where it used to be, so I guessed that InvalidateTombstoneMapPositions() is not needed. @ajkr , is any of that right?

[siying]

By removing this for-loop, it becomes complicated for me to understand.
Now my understanding is that, we can still rely on FindPrevUserKey() to do this for-loop and find the first key smaller than saved_key_.

If that is the case, the function name FindPrevUserKey() is confusing to me. It actually finds the previous user key to saved_key_?

[al13n321]

It actually finds the previous user key to saved_key_?

Yes, a comment above FindPrevUserKey() says: "Move backwards until the key smaller than saved_key_". This is similar to FindNextUserEntry() with skipping=true, which goes to a key strictly above saved_key_. I can rename FindPrevUserKey() to something like FindUserKeyBeforeSavedKey() if you find it less confusing.

I removed the loop because it was pretty much a duplicate of the loop in FindPrevUserKey(), only with > instead of >=. So, the logic used to be "move back until we see a good entry with key <= saved_key_, then move back until we see a good entry with key != saved_key_", which is just a more complicated way of saying "move back until we see a good entry with key < saved_key_".

[siying]

If the function has clear comment on the behavior, it is good then.

[siying]

Is this SeekToLast() logic to handle keys deleted by forward iterator?

[al13n321]

Yes. And yes, forward iterator doesn't support Prev() right now, so this is unreachable at the moment (except in the stress test the next commit adds). I made DBIter support it anyway because maybe we'll later add support for Prev() in forward iterator, or have some other situation when DBIter is used over a non-snapshot iterator.

[siying]

I briefly looked at most of the non-test files. It's awesome! Thank you again for helping with this complicated project.

[siying]

Thank you for adding this scenario. To verify the correctness of the iterator, another scenario worth covering is to add is to insert a key between the current key and the next key, because some of the looping for the next key logic has been changed a little bit.

[al13n321]

The stress test in the next commit should cover this scenario.

[siying]

I don't understand this.

[al13n321]

Removing.

(It prints the value of i if the assertion fails. I added it for debugging when this test was failing, then left it because there's a small probability that it may come in handy for someone else later. Removing it, just to avoid touching an extra file without a good reason.)

[siying]

I didn't find where the merging iterator is invalidated.

[al13n321]

Oh, this commit doesn't invalidate iterator, only makes status() more correct and fast. The next commit makes Valid() return false if status is not ok.

[siying]

Same here.

[siying]

and here.

[siying]

and here.

[facebook-github-bot]

@al13n321 has updated the pull request.

[facebook-github-bot]

@al13n321 has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

[facebook-github-bot]

@al13n321 has updated the pull request.

[al13n321]

Alright, comments addressed, checks pass.

[siying]

Thank you for helping with such a complicated task.

[siying]

Use ToString() in ./util/string_util.h. Same for other places.

[al13n321]

Changing. There are lots of existing std::to_string calls in db_iter_test.cc; leaving them alone.

[siying]

perf_context_test.cc uses parameter "--verbose" for this purpose. I hope we keep it consistent.

[al13n321]

Done.

[siying]

if (verbose)?

[al13n321]

I'd rather not: verbose outputs ~80 MB of stuff, and is intended for debugging failures; in contrast, this cout is just a few lines, to give an idea of how many times each case was hit.

[siying]

Run "make format" and see whether this is accepted.

[al13n321]

Oh, make format, I forgot it exists. Running it on the whole PR now.

[facebook-github-bot]

@al13n321 has updated the pull request.

[facebook-github-bot]

@al13n321 has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

[facebook-github-bot]

@al13n321 has updated the pull request.

[facebook-github-bot]

@al13n321 has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

[facebook-github-bot]

@al13n321 has updated the pull request.

[facebook-github-bot]

@al13n321 has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

[facebook-github-bot]

@al13n321 has updated the pull request.

[facebook-github-bot]

@al13n321 has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

[facebook-github-bot]

@al13n321 is landing this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

[siying]

@al13n321 clang_analyze is still failing:

db/db_iter_stress_test.cc:413:41: warning: Division by zero
    std::string s = ToString(rnd.Next() % (uint64_t)max_key);
                             ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~

[siying]

By the way, Google C++ Style (which we are following) disallow C-style casting. In this case uint64_t{max_key} is preferred.

[miasantreble]

#3872 will fix clang_analyze