Refactor OpenTransaction interface

[fsamuel-bs]

General

Before this PR:
The interface OpenTransaction was confusing. It stated that methods needed to use finish or finishWithCallback for a transaction to succeed, but our main internal consumer called these only on close() for cleanup, which caused #7407.

After this PR:
This PR clarifies the usage of OpenTransaction. It explicitly delegates to clients the responsibility of calling commit() or abort(), and moves cleanup to a close() method. It also makes it explicit that close() is idempotent, and can be called several times (with further calls simply no-oping).

==COMMIT_MSG==
==COMMIT_MSG==

Priority:

Concerns / possible downsides (what feedback would you like?):

Is documentation needed?:

Compatibility

Does this PR create any API breaks (e.g. at the Java or HTTP layers) - if so, do we have compatibility?:

Does this PR change the persisted format of any data - if so, do we have forward and backward compatibility?:

The code in this PR may be part of a blue-green deploy. Can upgrades from previous versions safely coexist? (Consider restarts of blue or green nodes.):

Does this PR rely on statements being true about other products at a deployment - if so, do we have correct product dependencies on these products (or other ways of verifying that these statements are true)?:

Does this PR need a schema migration?

Testing and Correctness

What, if any, assumptions are made about the current state of the world? If they change over time, how will we find out?:

What was existing testing like? What have you done to improve it?:

If this PR contains complex concurrent or asynchronous code, is it correct? The onus is on the PR writer to demonstrate this.:

If this PR involves acquiring locks or other shared resources, how do we ensure that these are always released?:

Execution

How would I tell this PR works in production? (Metrics, logs, etc.):

Has the safety of all log arguments been decided correctly?:

Will this change significantly affect our spending on metrics or logs?:

How would I tell that this PR does not work in production? (monitors, etc.):

If this PR does not work as expected, how do I fix that state? Would rollback be straightforward?:

If the above plan is more complex than “recall and rollback”, please tag the support PoC here (if it is the end of the week, tag both the current and next PoC):

Scale

Would this PR be expected to pose a risk at scale? Think of the shopping product at our largest stack.:

Would this PR be expected to perform a large number of database calls, and/or expensive database calls (e.g., row range scans, concurrent CAS)?:

Would this PR ever, with time and scale, become the wrong thing to do - and if so, how would we know that we need to do something differently?:

Development Process

Where should we start reviewing?:

If this PR is in excess of 500 lines excluding versions lock-files, why does it not make sense to split it?:

Please tag any other people who should be aware of this PR:
@jeremyk-91
@raiju

[jeremyk-91]

Looks good, thanks! Couple of small bits we should finish up I think, but thanks a lot for the contribution :)

[changelog-app]

Generate changelog in changelog/@unreleased

What do the change types mean?

• feature: A new feature of the service.
• improvement: An incremental improvement in the functionality or operation of the service.
• fix: Remedies the incorrect behaviour of a component of the service in a backwards-compatible way.
• break: Has the potential to break consumers of this service's API, inclusive of both Palantir services
  and external consumers of the service's API (e.g. customer-written software or integrations).
• deprecation: Advertises the intention to remove service functionality without any change to the
  operation of the service itself.
• manualTask: Requires the possibility of manual intervention (running a script, eyeballing configuration,
  performing database surgery, ...) at the time of upgrade for it to succeed.
• migration: A fully automatic upgrade migration task with no engineer input required.

Note: only one type should be chosen.

How are new versions calculated?

• ❗The break and manual task changelog types will result in a major release!
• 🐛 The fix changelog type will result in a minor release in most cases, and a patch release version for patch branches. This behaviour is configurable in autorelease.
• ✨ All others will result in a minor version release.

Type

• Feature
• Improvement
• Fix
• Break
• Deprecation
• Manual task
• Migration

Description

Refactor OpenTransaction interface.

We now put the burden of committing or aborting the transaction explicitly in the hands of the consumer, and modify the contract to require only the consumer to call close().
We then abort the transaction on close() if uncommitted.

Check the box to generate changelog(s)

• Generate changelog entry

[fsamuel-bs]

This was quite nuanced:

• lockWatchManager.onTransactionCommit needs to run before lockWatchManager.requestTransactionStateRemovalFromCache
• onSuccess ran before the finally block before, and therefore it worked
• now we need to add to onCommitOrAbort in the right order, otherwise tests failed.

[fsamuel-bs]

Also thought of writing

                                transaction.onCommitOrAbort(() -> {
                                    if (!transaction.isAborted()) {
                                        // in onCommitOrAbort + not aborted == committed
                                        lockWatchManager.onTransactionCommit(transaction.getTimestamp());
                                    }
                                    lockWatchManager.requestTransactionStateRemovalFromCache(....)
                                });

but decided not do this because I like guaranteeing both are run in case one fails.

[fsamuel-bs]

Also thought of adding txn.isCommitted() as a method, but not doing that for now - could pick do in a flup pr if we decide to go down that route.

Edit: decided to go down this route and added txn.isDefinitelyCommitted()

[jkozlowski]

"and cleans up"?

[jkozlowski]

"may lead to memory leaks and arbitrary delays..."

[jkozlowski]

I would ALMOST think that we should just expose the State enum?

ANd very clearly indicate that this is all from the perspective of "did this Transaction Java Object Instance, MANAGE to get to the point of setting it's state. So for example if the thread was interrupted at some point, as you say, the transaction may have been committed, but this will not be reflected in this object and results of these methods.

Like it might be useful to expose the enum and draw the state diagram?

[jkozlowski]

I think you didn't finish a sentence here?

[jkozlowski]

For my edification: what do you get out of doing "? extends ", other than the callers now having to do the same thing?

[jkozlowski]

You already say this later?

Callbacks are run in the reverse order they were added - i.e. the last added callback will be run first.

[jkozlowski]

so IF you're making sure this is idempotent and e.g. openTransactionCounter.dec is not called multiple times and that's your intent, let's stick this in the finally?

[jkozlowski]

Similarly, should ScrubForAggressiveHardDelete happen only on the happy path, or always, regardless of exceptions?

[jkozlowski]

Do you strictly need the try-with-resources? It doesn't feel like you would?

[jkozlowski]

Yeah, see, this is super annoying :P

[jkozlowski]

As I'm reading this code, I also realized we missed something here and it's why I'm kind of thinking a bit more broadly:

• in #commit, you don't check whether the method has been called, before doing #runPreCommitCallbacks. Meaning, technically if something throws there, someone could then call #commit again, and have them rerun. It's all WEIRD TERRITORY, but I think it's pointing at something deeper?

I feel like in general we're not modelling the state machine rigorously enough in all of this code. I would almost want to use internal state machine library to generate the code to make sure this is all done properly?

[jkozlowski]

Yaaas, much better

[jkozlowski]

Although, I just started reading startTransactionsInternal, and my immediate thought was "shit we forgot to cleanup conditions when that throws exceptions...

[jkozlowski]

What if instead of this split thing, we try something like this:

• StartTransactionsInternal at the beginning creates a Closer onExceptionCloser = Closer.create();

As you acquire resources, you register things with it, so you'd immediately accumulate all of the conditions there.

Then in #startTransactionsImpl, IFF you end up with an exception, you execute the closer.

[jkozlowski]

Basically, this is SUCH critical code, that from a reader's perspective, EVERYTIME I see resource acquisition, on the next line I want it being registered with SOMETHING that's responsible for cleaning it up in case of exceptions.

[jkozlowski]

SO the way this code works is:

• if you throw as part of startTransactions, the PreCommitCondition will be cleaned up immediately there. Otherwise, the ownership of those moves to OpenTransaction and is therefore cleaned up as part of it's #close implementation.

Meaning, we improve the flow here, without breaking any functionality.

[jkozlowski]

For interest, it was very funny to have a look at the implementation of List.of in the JDK, and weirdly, it has List12, which is kinda bizzareo. Guava defo does better here

[jkozlowski]

Should we instead use your ThreadSafeCloser and add a method #closeAfterException(Throwable) or something that will do the logging and #addSuppressed?

I'm also honestly not that fussed with #addSuppressed, it feels like noise. And specifically, in the internal skiing project, might lead to giant stacktraces (and just lots of logging?), because we use pretty large batches for #startTransactions?

How about we log the individual failures somehow as separate loglines

[jkozlowski]

Yeah, you're doing this again which makes me think my original comments are valuable.

[jkozlowski]

Note for reviewers: Closer goes in stack order, so we're technically changing the order here. It shouldn't matter, these are unrelated.

[jkozlowski]

Ok, deep breaths before reviewing this...

[jkozlowski]

Yeah, something doesn't add up here if you're having to make this available and return the impl

[jkozlowski]

How about, instead of having the #execute method on OpenTransactionImpl, just inline it here? Like you're really not gaining anything from this, but now EVERYTHING is polluted with these weird generics.

[jkozlowski]

Correct me if there's a deeper reason

[jkozlowski]

This one: should this just be an internal transaction thing in SnapshotTransaction? Why is this even registered here, as opposed to much deeper?

This definitely feels silly, it shouldn't even be on the interface.

[jkozlowski]

What if this was ALSO moved somewhere higher? to somewhere around the place where we increment this value?

[jkozlowski]

I think that would be the most correct thing

[jkozlowski]

Alternative to this VERY CAREFUL ORDERING, is to actually delegate this to LockWatchManager honestly? It feels wrong that such CRITICAL piece of functionality has high code-distance from LockWatchManager itself. This is probably a pre-req for this PR merging?

I'd support something like maybe:

• StartIdentifiedAtlasDbTransactionResponse has some sort of Consumer, to which you push the outcome of the transaction and it runs the lockWatchManager code.