RATIS-2174. Move future.join outside the lock

[133tosakarin]

What changes were proposed in this pull request?

In recent observations, I found that some functions wait for a future while holding a lock, which is a very dangerous thing.
To avoid the deadlock problem caused by holding the lock and waiting for the future, I am considering moving the future waiting outside the lock.

Currently, I found that calling changeToFollower in the following functions causes the above situation:

1. RaftServerImpl.appendEntries
2. RaftServerImpl.RequestVote
3. checkAndInstallSnapshot

see https://issues.apache.org/jira/browse/RATIS-2174

[133tosakarin]

@szetszwo
please take a look. If you agree to write it this way, I will create an issue in jira.

[133tosakarin]

@szetszwo @OneSizeFitsQuorum

Please check the comments below. could you help me refer to which one to use as the final solution?
There are currently two main options:

1. Move future.join outsize the lock (current commit)
2. Use wait/notify (Code Block below)

Subject: [PATCH] use wait/notify
---
Index: ratis-server/src/main/java/org/apache/ratis/server/leader/LogAppenderDaemon.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/ratis-server/src/main/java/org/apache/ratis/server/leader/LogAppenderDaemon.java b/ratis-server/src/main/java/org/apache/ratis/server/leader/LogAppenderDaemon.java
--- a/ratis-server/src/main/java/org/apache/ratis/server/leader/LogAppenderDaemon.java	(revision 62ae6d9f068ce01dd467a6fa83fb74dad9c2c8d8)
+++ b/ratis-server/src/main/java/org/apache/ratis/server/leader/LogAppenderDaemon.java	(date 1729085480985)
@@ -94,6 +94,9 @@
         logAppender.restart();
       }
       closeFuture.complete(finalState);
+      synchronized (logAppender.getServer()) {
+        logAppender.getServer().notifyAll();
+      }
     }
   }
 
Index: ratis-server/src/main/java/org/apache/ratis/server/impl/FollowerState.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/ratis-server/src/main/java/org/apache/ratis/server/impl/FollowerState.java b/ratis-server/src/main/java/org/apache/ratis/server/impl/FollowerState.java
--- a/ratis-server/src/main/java/org/apache/ratis/server/impl/FollowerState.java	(revision 62ae6d9f068ce01dd467a6fa83fb74dad9c2c8d8)
+++ b/ratis-server/src/main/java/org/apache/ratis/server/impl/FollowerState.java	(date 1729086757702)
@@ -130,6 +130,9 @@
       runImpl();
     } finally {
       stopped.complete(null);
+      synchronized (server) {
+        server.notifyAll();
+      }
     }
   }
 
Index: ratis-server/src/main/java/org/apache/ratis/server/impl/RaftServerImpl.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/ratis-server/src/main/java/org/apache/ratis/server/impl/RaftServerImpl.java b/ratis-server/src/main/java/org/apache/ratis/server/impl/RaftServerImpl.java
--- a/ratis-server/src/main/java/org/apache/ratis/server/impl/RaftServerImpl.java	(revision 62ae6d9f068ce01dd467a6fa83fb74dad9c2c8d8)
+++ b/ratis-server/src/main/java/org/apache/ratis/server/impl/RaftServerImpl.java	(date 1729087936568)
@@ -565,16 +565,38 @@
     }
   }
 
+   static class Pair<U, V> {
+    private final U first;
+    private final V second;
+
+    private Pair(U first, V second) {
+      this.first = first;
+      this.second = second;
+    }
+
+    static <U,V> Pair<U, V> makePair(U u,  V v) {
+      return new Pair<>(u, v);
+    }
+
+    U first() {
+      return first;
+    }
+
+    V second() {
+      return second;
+    }
+  }
+
   /**
    * Change the server state to Follower if this server is in a different role or force is true.
    * @param newTerm The new term.
    * @param force Force to start a new {@link FollowerState} even if this server is already a follower.
    * @return if the term/votedFor should be updated to the new term
    */
-  private boolean changeToFollower(long newTerm, boolean force, boolean allowListener, Object reason) {
+  private Pair<Boolean, CompletableFuture<Void>> changeToFollower(long newTerm, boolean force, boolean allowListener, Object reason) {
     final AtomicReference<Boolean> metadataUpdated = new AtomicReference<>();
-    changeToFollowerAsync(newTerm, force, allowListener, reason, metadataUpdated).join();
-    return metadataUpdated.get();
+    CompletableFuture<Void> future = changeToFollowerAsync(newTerm, force, allowListener, reason, metadataUpdated);
+    return Pair.makePair(metadataUpdated.get(), future);
   }
 
   private synchronized CompletableFuture<Void> changeToFollowerAsync(
@@ -617,20 +639,37 @@
       long newTerm,
       boolean allowListener,
       Object reason) throws IOException {
-    if (changeToFollower(newTerm, false, allowListener, reason)) {
-      state.persistMetadata();
+    Pair<Boolean, CompletableFuture<Void>> pair = changeToFollower(newTerm, false, allowListener, reason);
+    try {
+      if (pair.first()) {
+        state.persistMetadata();
+      }
+    } finally {
+      waitFutureAndJoin(pair.second());
     }
   }
 
-  synchronized void changeToLeader() {
+  synchronized void waitFutureAndJoin(CompletableFuture<?> future) {
+    while (!future.isDone()) {
+      try {
+        this.wait();
+      } catch (InterruptedException e) {
+        // ignore
+      }
+    }
+    future.join();
+  }
+  
+  synchronized CompletableFuture<Void> changeToLeader() {
     Preconditions.assertTrue(getInfo().isCandidate());
-    role.shutdownLeaderElection();
+    CompletableFuture<Void> future = role.shutdownLeaderElection();
     setRole(RaftPeerRole.LEADER, "changeToLeader");
     final LeaderStateImpl leader = role.updateLeaderState(this);
     state.becomeLeader();
 
     // start sending AppendEntries RPC to followers
     leader.start();
+    return future;
   }
 
   @Override
@@ -1460,8 +1499,9 @@
       final boolean voteGranted = context.decideVote(candidate, candidateLastEntry);
       if (candidate != null && phase == Phase.ELECTION) {
         // change server state in the ELECTION phase
-        final boolean termUpdated =
-            changeToFollower(candidateTerm, true, false, "candidate:" + candidateId);
+        Pair<Boolean, CompletableFuture<Void>> pair = changeToFollower(candidateTerm, true, false, "candidate:" + candidateId);
+        final boolean termUpdated = pair.first;
+        waitFutureAndJoin(pair.second);
         if (voteGranted) {
           state.grantVote(candidate.getId());
         }
Index: ratis-server/src/main/java/org/apache/ratis/server/impl/LeaderElection.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/ratis-server/src/main/java/org/apache/ratis/server/impl/LeaderElection.java b/ratis-server/src/main/java/org/apache/ratis/server/impl/LeaderElection.java
--- a/ratis-server/src/main/java/org/apache/ratis/server/impl/LeaderElection.java	(revision 62ae6d9f068ce01dd467a6fa83fb74dad9c2c8d8)
+++ b/ratis-server/src/main/java/org/apache/ratis/server/impl/LeaderElection.java	(date 1729087936578)
@@ -242,6 +242,9 @@
       runImpl();
     } finally {
       stopped.complete(null);
+      synchronized (server) {
+        server.notifyAll();
+      }
     }
   }
 
@@ -256,7 +259,7 @@
       for (int round = 0; shouldRun(); round++) {
         if (skipPreVote || askForVotes(Phase.PRE_VOTE, round)) {
           if (askForVotes(Phase.ELECTION, round)) {
-            server.changeToLeader();
+            server.changeToLeader().join();
           }
         }
       }

[szetszwo]

@133tosakarin , sorry for the delay. Will review this soon.

[szetszwo]

@133tosakarin , thanks a lot for working on this! The idea is great.

• We should avoid using Optional. Using final is better since the compiler will enforce that the variable must be initialized before use.
• Let's pass an AtomicBoolean instead of adding the new Pair class. It will have much less code change.

See https://issues.apache.org/jira/secure/attachment/13072253/1168_review.patch

[133tosakarin]

@133tosakarin , thanks a lot for working on this! The idea is great.

• We should avoid using Optional. Using final is better since the compiler will enforce that the variable must be initialized before use.
• Let's pass an AtomicBoolean instead of adding the new Pair class. It will have much less code change.

See https://issues.apache.org/jira/secure/attachment/13072253/1168_review.patch

Sze, thank you for your advice!

Our current commit is to move future.join out of the lock, but OneSizeFitsQuorum thinks there may be concurrency issues.

What do you think?

[szetszwo]

Suppose we have the following code:

synchronized(server) {
  ...
  final CompletableFuture<Void> future = state.shudown()
  f.join()
}

• I agree with you that calling join() at the end of synchronized(server) block seems useless since it just waits for the state thread to terminate. If anything needs to be synchronized, it should be done inside the shutdown() method. Of course, the state thread could be synchronized(server) in its run() method. The same synchronization will happen also in the non-shutdown cases. It there is a bug, the non-shutdown cases should also have the same bug.

• I could see that calling join() at the middle of synchronized(server) may be useful in some cases -- the caller wants to wait of the state thread to complete for some reasons such as getting a final result. However, we are not doing that in our shutdown code.

[133tosakarin]

Suppose we have the following code:

synchronized(server) {
  ...
  final CompletableFuture<Void> future = state.shudown()
  f.join()
}

• I agree with you that calling join() at the end of synchronized(server) block seems useless since it just waits for the state thread to terminate. If anything needs to be synchronized, it should be done inside the shutdown() method. Of course, the state thread could be synchronized(server) in its run() method. The same synchronization will happen also in the non-shutdown cases. It there is a bug, the non-shutdown cases should also have the same bug.
• I could see that calling join() at the middle of synchronized(server) may be useful in some cases -- the caller wants to wait of the state thread to complete for some reasons such as getting a final result. However, we are not doing that in our shutdown code.

Thank you for your valuable advice! We have reached a consensus

Regarding the question raised by OneSizeFitsQuorum, the concern might be that when thread A waits for the state to shut down outside the synchronized (server) block, it is possible that the state thread could modify some data of the server. When thread A is woken up, since some server data may have been changed by the state thread before its shutdown, the question is whether this could have any subsequent impact on thread A.

OneSizeFitsQuorum recommends writing it as follows:

For Thread A:

synchronized (server) {
    future = state.shutdown();
    while (!future.isDone()) {
        server.wait();
    }
}

For Thread State:

Future<Void> stopped;
...
try {
    run();
} finally {
    stopped.complete();
    synchronized (server) {
        server.notify();
    }
}

In our code, the State thread may be LogAppender, FollowerState, LeaderElection

[szetszwo]

@133tosakarin , thanks for the update!

Please don't use CompletableFuture.runAsync(future::join);. We either want to

• sync: call future.join(), or
• async: do nothing (the code is already async).

See the details inlined.

[szetszwo]

It is better to use final CompletableFuture<Void> future;. Then future.join() will never have NPE.

[133tosakarin]

Thank you for your valuable advice

[szetszwo]

CompletableFuture.runAsync means use another thread to call join(). It is not useful. More details:

• Without this line, the shutdown thread will run and complete the future.
• With this line, the shutdown thread will run and complete the future. In addition, we use another thread to wait for the shutdown thread. Why use one more thread?

[133tosakarin]

Assuming we encounter an exception here, we either do not handle the future or need another thread to handle it. If we do not use another thread to handle the future, there is still a deadlock problem of holding the lock and waiting for the future.

The same consideration applies to using runAsync elsewhere

[szetszwo]

If we remove line 620, how could we have a deadlock? Could you give more details?

[133tosakarin]

Replacing CompleteFuture.runAsync(future::join) with future.join still presents the deadlock issue where thread A holds the lock while waiting for the future, and thread B needs to acquire the lock.

If we simply ignore the future and throw an exception without handling it, then no deadlock will occur.

[szetszwo]

Replacing CompleteFuture.runAsync(future::join) with future.join ...

I mean "remove the line", not "replace it with future.join", i.e. case 3 below.

Three cases:

1. With future.join(), the current thread will wait for the shutdown thread to complete
2. With CompleteFuture.runAsync(future::join), the current thread and the shutdown thread will run in parallel. In addition, it uses one more thread to wait for the shutdown thread.
3. With an empty line, the current thread and the shutdown thread will run in parallel.

[133tosakarin]

I see.

case 1. We should avoid this situation, which seems to contradict our issue
case 2. This writing style does not seem to be recommended
case 3. It seems that we can only use this

Then we can use the third case

[szetszwo]

• Version 1

synchronized (server) {
    future = state.shutdown();
    while (!future.isDone()) {
        server.wait();
    }
}

try {
    run();
} finally {
    stopped.complete();
    synchronized (server) {
        server.notify();
    }
}

• Version 2

synchronized (server) {
    future = state.shutdown();
}
future.join()

try {
    run();
} finally {
    stopped.complete();
}

Version 1 and Version 2 seem to be the same. Could you point out when they will be different?

[133tosakarin]

• Version 1

synchronized (server) {
    future = state.shutdown();
    while (!future.isDone()) {
        server.wait();
    }
}

try {
    run();
} finally {
    stopped.complete();
    synchronized (server) {
        server.notify();
    }
}

• Version 2

synchronized (server) {
    future = state.shutdown();
}
future.join()

try {
    run();
} finally {
    stopped.complete();
}

Version 1 and Version 2 seem to be the same. Could you point out when they will be different?

For version 1, we need to wait for another thread to wake up before continuing execution.

For version 2, the current thread and the thread that needs to be shut down may execute in parallel.

[szetszwo]

For version 2, the current thread and the thread that needs to be shut down may execute in parallel.

No. future.join() means that it is waiting for stopped to complete.

[133tosakarin]

BTW, future.thenApply(..) is not the same as join(). It still returns a un-joined future.

Thank you very much for your explanation.

[szetszwo]

@133tosakarin , we need to remove all CompletableFuture.runAsync(future::join). They are not useful. See #1168 (comment)

[133tosakarin]

Ok, I will modify this part of the code.

[szetszwo]

@133tosakarin , thanks for the update! Please see the comment below and the comments inlined.

• In LeaderElection, it should NOT complete stopped in shutdown() since the thread is still running at that time.

+++ b/ratis-server/src/main/java/org/apache/ratis/server/impl/LeaderElection.java
@@ -227,7 +227,6 @@ class LeaderElection implements Runnable {
 
   CompletableFuture<Void> shutdown() {
     lifeCycle.checkStateAndClose();
-    stopped.complete(null);
     return stopped;
   }

[szetszwo]

Remove reply and declare it in the code below.

[133tosakarin]

ok, thanks for your comment

[szetszwo]

final InstallSnapshotReplyProto reply = toInstallSnapshotReplyProto(leaderId, getMemberId(),

[133tosakarin]

Ok

[szetszwo]

Create the reply first since it does not have to wait for the shutdown.

    final InstallSnapshotReplyProto reply = toInstallSnapshotReplyProto(leaderId, getMemberId(),
        currentTerm, snapshotChunkRequest.getRequestIndex(), InstallSnapshotResult.SUCCESS);
    return future.thenApply(dummy -> reply);

[133tosakarin]

Ok

[szetszwo]

Similar to before, move down the declaration, create the reply and return future.thanApply(..).

[133tosakarin]

Ok

[szetszwo]

Please revert this whitespace change.

[133tosakarin]

Ok

[szetszwo]

+1 the change looks good

(Used the web editor to revert a whitespace change but it did not go well. Then, edited it locally and pushed another whitespace reverts.)

[133tosakarin]

Remove join in FollowerState and LeaderElection.

For FollowerState, changing to Candidate will close FollowerState and then return to FollowerState.stopped, which is equivalent to waiting for oneself to close.

LeaderElection is similar to FollowerState. When changed to Leader, LeaderElection will be closed and then returned to LeaderElection.stop.

[133tosakarin]

There seems to be a strange error: the address has already been used

[szetszwo]

There seems to be a strange error: the address has already been used

It happens occasionally. It may be a test problem (or library, OS bugs.) Not sure if there is a way to prevent it.

Let's simply rerun the tests for now.

[133tosakarin]

#[d0cd3de]

[133tosakarin]

In this commit [d0cd3de ] , the following modifications are mainly made

1. Since Follower and Candidate close themselves, calling future.join at this time will deadlock, so cancel the corresponding return or ignore it.
2. There are still some tests with LeakSize > 0, I'm not sure if this is related to the current modification.

[szetszwo]

@133tosakarin , good job! The latest change can pass everything at the first run.