Backoff policy for failed mutation.

[MikhailBurdukov]

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Enabled a backoff logic (e.g. exponential). Will provide an ability for reduced CPU usage, memory usage and log file sizes.

Documentation entry for user-facing changes

• Documentation is written (mandatory for new features)

If mutation query is incorrect or can't be performed right now then it will hang in infinite loop with high resources usage:
Example (from #55946):

CREATE TABLE main (id Int8) ENGINE=MergeTree() ORDER BY id;
INSERT INTO main SELECT * FROM system.numbers LIMIT 2;

ALTER TABLE main DELETE WHERE id IN (SELECT id FROM nonexistent);

Have a backoff logic (e.g. exponential) will provide an ability for reduced CPU usage, memory usage and log file sizes.

Information about CI checks: https://clickhouse.com/docs/en/development/continuous-integration/

[robot-clickhouse-ci-1]

This is an automated comment for commit fa5747a with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Successful checks

Check name	Description	Status
AST fuzzer	Runs randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help	✅ success
ClickBench	Runs [ClickBench](https://github.com/ClickHouse/ClickBench/) with instant-attach table	✅ success
ClickHouse build check	Builds ClickHouse in various configurations for use in further steps. You have to fix the builds that fail. Build logs often has enough information to fix the error, but you might have to reproduce the failure locally. The cmake options can be found in the build log, grepping for cmake. Use these options and follow the general build process	✅ success
Compatibility check	Checks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help	✅ success
Docker keeper image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docker server image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docs check	Builds and tests the documentation	✅ success
Fast test	Normally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here	✅ success
Flaky tests	Checks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integrational tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc	✅ success
Install packages	Checks that the built packages are installable in a clear environment	✅ success
Mergeable Check	Checks if all other necessary checks are successful	✅ success
Performance Comparison	Measure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests	✅ success
Push to Dockerhub	The check for building and pushing the CI related docker images to docker hub	✅ success
SQLTest	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
SQLancer	Fuzzing tests that detect logical bugs with SQLancer tool	✅ success
Sqllogic	Run clickhouse on the sqllogic test set against sqlite and checks that all statements are passed	✅ success
Stateful tests	Runs stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stress test	Runs stateless functional tests concurrently from several clients to detect concurrency-related errors	✅ success
Style check	Runs a set of checks to keep the code style clean. If some of tests failed, see the related log from the report	✅ success
Unit tests	Runs the unit tests for different release types	✅ success
Upgrade check	Runs stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts	✅ success

Check name	Description	Status
A Sync	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	❌ failure
CI running	A meta-check that indicates the running CI. Normally, it's in success or pending state. The failed status indicates some problems with the PR	⏳ pending
Integration tests	The integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests	❌ failure
Stateless tests	Runs stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	❌ failure

[myrrc]

Suggested change

	auto failed_part = result_part->parts.at(0);
	auto & failed_part = result_part->parts.at(0);

[myrrc]

All other usages of mutation_wait_event notify it under
std::lock_guard lock(mutation_wait_mutex). Generally you should not notify a condition variable while holding a mutex (as waiting threads will be notified just to sleep again) but maybe there is some other semantics here you could investigate

[myrrc]

Resolves: #57089

[myrrc]

You can add this setting here
and query it like getSettingsRef().max_postpone_time...

[myrrc]

Maybe we could store context.getSettings() instead of storing the context ptr itself? Except for the setting, we don't use the context

[myrrc]

typo: posTpone

[myrrc]

If this setting will be present in Settings.h, we could change the setting in runtime via SETTINGS max_postpone_time=12345.
Please consider adding a test case changing the setting in runtime

[myrrc]

Suggested change

	assert node_no_backoff.contains_in_log(REPLICATED_POSPONE_MUTATION_LOG) == False
	assert not node_no_backoff.contains_in_log(REPLICATED_POSPONE_MUTATION_LOG)

[myrrc]

Suggested change

	assert node_with_backoff.contains_in_log(REPLICATED_POSPONE_MUTATION_LOG) == True
	assert node_with_backoff.contains_in_log(REPLICATED_POSPONE_MUTATION_LOG)

[tavplubix]

Why do we have time both in Poco::Timestamp and size_t?

[tavplubix]

Isn't Poco::Timestamp a POD type? What's the point of moving it, then?

[tavplubix]

1. Double whitespace after "return" and after "+"
2. It's unclear what the precision of latest_fail_time is when it's implicitly converted to an integer (milliseconds? microseconds? nanoseconds?). Having * 1000ul doesn't make it more clear (although it's clear that it's not seconds). I would prefer having everything in integers with the same precision and a clear suffix like _ms. Poco::Timestamp (as well as Poco::Timespan) with implicit conversions are error-prone

[tavplubix]

Suggested change

	void removePartFromFailed(const String& part_name)
	void removePartFromFailed(const String & part_name)

And in other places as well
(it's interesting why the Style Check did not fail)

[tavplubix]

Looks like the context is never used

[tavplubix]

It would be nice to also print the number of (milli)seconds til the next attempt, but it's not necessary

[tavplubix]

This is unexpected, could you please add a comment explaining why we need to notify here? Introducing a backoff affects only timings and should not affect any synchronization

[MikhailBurdukov]

Yes, you are right. Removed it.

[tavplubix]

1. Do we need the same for ReplicatedMergeTree?
2. Feels like it will not work because multiple mutations may be merged together and executed at once. For example, if there's a faulty mutation with version 42 and another mutation with version 137, then a part all_1_2_3 can be mutated directly to all_1_2_3_137 (and this will fail due to the mutation 42). So according to the if (static_cast<UInt64>(result_part->part_info.mutation) == it->first) condition, addPartMutationFailure will be called for the version 137, and killing the faulty mutation 42 will not reset the backoff. Please add the corresponding test. Consider removing all the logic around the mutation version for simplicity and resetting all backoffs when killing any mutation

[tavplubix]

Tests with sleep are flaky and unreliable

[tavplubix]

Please use functional tests whenever possible: #39359 (comment)

In this case, restart_clickhouse can be replaced with DETACH/ATTACH TABLE, and wait_for_log_line with reading from system.text_log.

It's just FYI, it's not necessary to rewrite the test.

[MikhailBurdukov]

@tavplubix
Hi! I have fixed the changes you requested. There are a lot of test failures, but I'm not sure if my changes caused them. Сould you check it please?

Also there is one more thing to discuss:

In general, the change is good and it makes sense to enable it by default. What will be a good default value in your opinion?

For sure it depends on the usage scenario, but I think in general 5s-10s is totally okey. Can I set 5s as default value?

[tavplubix]

The CI is completely broken by #60013
Although, Upgrade check failures are related to the changes: <Error> Application: Code: 115. DB::Exception: Unknown setting max_postpone_time_for_failed_mutations_ms: in MergeTree config. (UNKNOWN_SETTING)
You can fix it by removing the new config here:

ClickHouse/docker/test/upgrade/run.sh

Line 80 in cef109a

# it contains some new settings, but we can safely remove it

5s-10s is totally okey

Isn't it too small? Imagine we have a mutation that converts a String column to UInt64, and it fails because it cannot parse some number in the middle. If the part is quite big, the mutation may work for a few minutes before failing. So it will wait for 5 seconds and then work again for a few minutes, so it will not reduce CPU usage. Maybe we can set it to 5 minutes.

[MikhailBurdukov]

Set 5 minutes as default. Thanks for the help!

[tavplubix]

Integration tests:

• test_replicated_database/test.py::test_startup_without_zk - Do not retry queries if container is down in integration tests #60109 (comment)
• test_backup_restore_s3/test.py::test_user_specific_auth - Support specifying users for S3 settings #60144 (comment)
• test_replicated_table_attach/test.py::test_startup_with_small_bg_pool_partitioned - Do not retry queries if container is down in integration tests #60109 (comment)

Stateless tests - 00984_parser_stack_overflow is broken in master (not clear why)

[alexey-milovidov]

@MikhailBurdukov it failed: https://s3.amazonaws.com/clickhouse-test-reports/60370/a66a11933fbb12e614f5ac4facde42ede9ac3233/integration_tests__tsan__[2_6].html

[azat]

Should this be called from the killMutation as well? (so as for ReplicatedMergeTree)

[tavplubix]

No, we call resetMutationFailures instead, see the review comments.

However, I've just realized that for RMT it will be only called on the initiator, and not on other replicas (I'm not sure what's the best way to fix it)