Watchers (aka one-time subscriptions)

[locker]

A watcher is a callback invoked on a state change. A state is a key-value pair stored internally. A key is a string and a value is anything that can be encoded as msgpack. To update a state, use box.broadcast(key, value). To create a local watcher, use box.watch(key, func). To create a remote watcher, use conn:watch(key, func), where conn is a net.box connection. The watch() function returns a watcher handle, which can be used to unregister the watcher if it's no longer needed by calling w:unregister()

A watcher callback is passed the key for which it was registered and the current key data. A watcher callback is always invoked in a new fiber so it's okay to yield in it. A watcher callback is never executed in parallel with itself: if the key is updated while the callback is running, it will be invoked with the new value as soon as it returns.

Closes #6257

[coveralls]

Coverage increased (+0.04%) to 84.502% when pulling 63b6372 on locker:watchers into afd6da3 on tarantool:master.

[Gerold103]

Thanks for the patchset! I didn't finish review of the last commit, will return later.

[Gerold103]

Thanks for the fixes! Could you please not resolve my comments if possible? Otherwise I need to go an unhide them all to see what they were about, what was fixed how, etc.

[locker]

Thanks for the fixes! Could you please not resolve my comments if possible? Otherwise I need to go an unhide them all to see what they were about, what was fixed how, etc.

Okay.

[Gerold103]

Thanks for the fixes!

[Gerold103]

table.insert can fail with OOM. Then you won't send an ACK. But I don't know how to fix this.

[locker]

If table.insert fails with OOM, then the whole program will fall apart, because nobody handles OOM in Lua so I don't think this would be an issue. Anyway, if this function raises an exception, the connection will be closed with an error.

[Gerold103]

If table.insert fails with OOM, then the whole program will fall apart

Nope: https://www.lua.org/pil/24.3.1.html. Lua pcall() and its C API colleague lua_pcall() help you to catch even OOM errors (I have no idea how it handles OOM of the Lua stack during arguments push - it just doesn't probably). In particular, this is one of the reasons why coding in Lua I consider extra hard and dangerous - almost every single line can raise an exception. That significantly complicates doing several actions atomically. For instance, add something to a table or two and change some counters/flags. Or vice versa.

Ironically, when you want to raise an error like an assertion or an error injection - you can't do that properly either. Because you will pay for them even in release build.

As for your code, I did a simple test. For that you will need to apply this diff:

diff --git a/src/box/lua/net_box.lua b/src/box/lua/net_box.lua index 07a793b33..163ca0066 100644 --- a/src/box/lua/net_box.lua +++ b/src/box/lua/net_box.lua @@ -34,6 +34,10 @@ local E_UNKNOWN = box.error.UNKNOWN local E_NO_CONNECTION = box.error.NO_CONNECTION local E_PROC_LUA = box.error.PROC_LUA +local errinj = { + RAISE_BEFORE_WATCH = false, +} + -- Method types used internally by net.box. local M_PING = 0 local M_CALL_16 = 1 @@ -951,6 +955,11 @@ function watcher_methods:_run() -- The value was not updated while this watcher was running. -- Append it to the list of ready watchers and send an ack to -- the server unless we've already sent it. + if errinj.RAISE_BEFORE_WATCH then + errinj.RAISE_BEFORE_WATCH = false + log.error('watcher_methods:_run(): OOM during table.insert') + error('Out of memory') + end table.insert(state.ready, self) if not state.is_acknowledged then self._conn._transport.watch(state.key) @@ -1608,6 +1617,8 @@ this_module.self = { end } +this_module.errinj = errinj + setmetatable(this_module.self, { __index = function(self, key) if key == 'space' then

Then run this preparation:

netbox = require('net.box') box.cfg{listen = 3313} box.schema.user.grant('guest', 'super') box.broadcast('key', 1) c = netbox.connect(box.cfg.listen) do_fail_oom = false c:watch('key', function(k, v) print(v) netbox.errinj.RAISE_BEFORE_WATCH = do_fail_oom end)

Now do this:

do_fail_oom = true box.broadcast('key', 2)

You will see:

tarantool> 2 2021-10-28 00:00:29.317 [97132] main/122/lua net_box.lua:960 E> watcher_methods:_run(): OOM during table.insert 2021-10-28 00:00:29.317 [97132] main/122/lua utils.c:450 E> LuajitError: builtin/box/net_box.lua:961: Out of memory 

You might expect that when I do another broadcast, I will receive it and all will be fine.

box.broadcast('key', 3)

But nothing happens on the client. The callback is never called again. The connection is active, c:ping() works just fine. But I will no longer receive events on this watcher.

[locker]

But nothing happens on the client. The callback is never called again. The connection is active.

You're right - I mistakenly thought that table.insert was called by the net.box worker fiber so that the oom error would break the worker loop, but it wouldn't, because it's done by the fiber running the callback.

Lua pcall() and its C API colleague lua_pcall() help you to catch even OOM errors

But I doubt anybody expects a memory error from an interpreted language with automatic garbage collection. A user application is likely to break somewhere in case of oom, e.g. because it fails to create a string on Lua stack. I bet most of our Lua code isn't ready for oom. That's why I think that the program will become unusable. A bad thing about handling oom at any point of code is that it's nearly impossible to properly test. That's why I think the best way to handle oom is to restart the service. AFAIU with GC64 Lua should never raise an oom error. With GC32, I think we should terminate the program in case of Lua failing to allocate memory.

That being said, I suggest to ignore oom errors for now in Lua and deal with the problem only if somebody actually complains about it (which I doubt) - the error is printed to the log, which should be enough to identify the problem.

[Gerold103]

A user application is likely to break somewhere in case of oom, e.g. because it fails to create a string on Lua stack.

It will raise an exception. Like most of our box methods do. User applications somehow deal with that. You can talk to solutions if you want to find more. AFAIK, they try to never fail even in case of OOM to avoid bad errors returned to users or not returning anything. On the top level there always should be a pcall which can convert the error into something more user-friendly than a crash and remote connections drop.

I bet most of our Lua code isn't ready for oom. That's why I think that the program will become unusable.

It will be usable. GC eventually will free more space. Especially if the offender's stack is unrolled and it contained a lot of garbage.

AFAIU with GC64 Lua should never raise an oom error.

AFAIK, it still is not enabled everywhere, is it?

With GC32, I think we should terminate the program in case of Lua failing to allocate memory.

I am not against that. But then it must be done before this patch, because otherwise there is a bug. I can live with names which I don't like, or some sort of code duplication, or other non-critical compromises, but can't upvote the bug. If you really-really don't want to fix it, I totally understand. Then you can merge it if you don't think there are more useful comments from me.

[locker]

Replaced the table with a singly-linked list. Hope it addresses your concern.

[Gerold103]

It does not fix the entire problem, because, for instance, self._conn._transport.watch(state.key) can also raise an exception. Because it calls netbox_watch_or_unwatch which uses luamp_error. But I rethought my approach and decided that I should not care that much. Besides, I don't know how to fix this in a good way, so I can't recommend anything except C.

[Gerold103]

Approved, but there is a known problem in case a watcher after run won't be able to allocate memory. Then it seems it will be stuck until connection recreation. Don't know how to fix it in Lua in a good way.