refactor: Change recursive_mutex to mutex in DatabaseRotatingImp

[ximinez]

High Level Overview of Change

Follow-up to #4989, which stated "Ideally, the code should be rewritten so it doesn't hold the mutex during the callback and the mutex should be changed back to a regular mutex."

This rewrites the code so that the lock is not held during the callback. Instead it locks twice, once before, and once after. This is safe due to the structure of the code, but is checked after the second lock. This allows mutex_ to be changed back to a regular mutex.

Context of Change

From #4989:

The rotateWithLock function holds a lock while it calls a callback function that's passed in by the caller. This is a problematic design that needs to be used very carefully. In this case, at least one caller passed in a callback that eventually relocks the mutex on the same thread, causing UB (a deadlock was observed). The caller was from SHAMapStoreImpl, and it called clearCaches. This clearCaches can potentially call fetchNodeObject, which tried to relock the mutex.

This patch resolves the issue by changing the mutex type to a recursive_mutex. Ideally, the code should be rewritten so it doesn't hold the mutex during the callback and the mutex should be changed back to a regular mutex.

Type of Change

• Refactor (non-breaking change that only restructures code)

Test Plan

Testing can be the same as that for #4989, plus ensure that there are no regressions.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.2%. Comparing base (97e3dae) to head (a38d43d).
Report is 1 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff           @@
##           develop   #5276   +/-   ##
=======================================
  Coverage     78.1%   78.2%           
=======================================
  Files          790     790           
  Lines        67646   67653    +7     
  Branches      8165    8160    -5     
=======================================
+ Hits         52863   52881   +18     
+ Misses       14783   14772   -11     

Files with missing lines	Coverage Δ
src/xrpld/app/misc/SHAMapStoreImp.cpp	77.1% <100.0%> (ø)
src/xrpld/nodestore/DatabaseRotating.h	100.0% <ø> (ø)
src/xrpld/nodestore/detail/DatabaseRotatingImp.cpp	67.0% <100.0%> (+6.3%)	⬆️
src/xrpld/nodestore/detail/DatabaseRotatingImp.h	66.7% <ø> (ø)

... and 2 files with indirect coverage changes

[bthomee]

As this sounds like a typical single-write and one-or-more-read scenario, is it possible to use a single shared_mutex here instead of these two mutexes?

[ximinez]

It's possible, but there are risks. The biggest one is that I'd have to take a shared_lock at the start of rotateWithLock, and upgrade it to a unique_lock after the callback. If there is somehow ever a second caller to that function, or even a different caller that upgrades the lock, there is a potential deadlock.

[ximinez]

@bthomee @vvysokikh1 Ok, it took waaaaaaay longer than it should have because I kept trying clever things that didn't work or turned out unsupported, but I rewrote the locking, and changed to a shared mutex, and I think I've got a pretty foolproof solution here. And a unit test to exercise it.

But don't take my word for it. The point of code reviews is to spot the stuff I didn't consider.

[vvysokikh1]

I think your solution is not completely solving the issue. It's still technically possible to deadlock (calling rotateWithLock from inside of the callback, this will cause a deadlock on your new mutex).

If it's good enough for now, please leave some comments to rotateWithLock() to warn any user of calling rotateWithLock() directly or indirectly from callback.

[vvysokikh1]

Why do we need to lock mutex here? I would assume we can make rotating atomic bool and use compare_exchange to switch this flag safely.

[ximinez]

Why do we need to lock mutex here? I would assume we can make rotating atomic bool and use compare_exchange to switch this flag safely.

I got rid of rotating entirely.

[vvysokikh1]

I don't think these lambda and read lock are actually required with current implementation. We are only using write lock before (which might be switched to atomic) and after. Assuming previous synchronization block switches rotating flag, there should be no other 'write' thread being able to proceed and capture writeLock while we are here.

[vvysokikh1]

I think this comment doesn't work. It can be reached not only with unit tests, but also by accidental concurrent call to rotateWithLock or indirect call to rotateWithLock from the callback.

[ximinez]

I think this comment doesn't work. It can be reached not only with unit tests, but also by accidental concurrent call to rotateWithLock or indirect call to rotateWithLock from the callback.

It will only be intentionally reachable through tests. An accidental concurrent call is not intentional. Will update.

[vvysokikh1]

what is the reason for choosing timed mutex here? I believe shared_mutex would be enough here

[ximinez]

what is the reason for choosing timed mutex here? I believe shared_mutex would be enough here

No longer relevant, but I had been working with try_lock_for for a while, and missed changing this back.

[bthomee]

For read/write threads, you can also consider using boost::upgrade_lock [1] wrapping a boost::upgrade_mutex [2] here instead of std::shared_lock with a std::shared_(timed)_mutex, as it supports upgrading a read lock to a write lock without unlocking in between. Read-only threads can then use boost::shared_lock while wrapping that same boost::upgrade_mutex.

[1] https://www.boost.org/doc/libs/1_86_0/doc/html/thread/synchronization.html#thread.synchronization.locks.upgrade_lock
[2] https://www.boost.org/doc/libs/1_86_0/doc/html/thread/synchronization.html#thread.synchronization.mutex_types.upgrade_mutex

[ximinez]

Thanks for those links. That's exactly what I was looking for previously, but (obviously) didn't find. I'll update again ASAP.

[vvysokikh1]

nit: I would suggest renaming this from readLock (as this is not actually a read lock, but a unique lock that allows other shared_locks). The name is confusing a bit as it suggests multiple threads can enter, while this is not the case

[ximinez]

nit: I would suggest renaming this from readLock (as this is not actually a read lock, but a unique lock that allows other shared_locks). The name is confusing a bit as it suggests multiple threads can enter, while this is not the case

Done. Also added a comment, since a lot of folks are unfamiliar with this class.

[bthomee]

In line 363 the clearCaches(validatedSeq) is already called - is calling it here again needed?

[ximinez]

In line 363 the clearCaches(validatedSeq) is already called - is calling it here again needed?

I believe so because some time could have passed between the two calls, and this helps clear out any entries that were added in that time.

[bthomee]

Suggested change

	// https://www.boost.org/doc/libs/1_86_0/doc/html/thread/synchronization.html#thread.synchronization.mutex_concepts.upgrade_lockable
	// https://www.boost.org/doc/libs/1_83_0/doc/html/thread/synchronization.html#thread.synchronization.mutex_concepts.upgrade_lockable

We're currently using 1.83. Keeping it as-is is fine, but this is simply more accurate.

[ximinez]

We're currently using 1.83. Keeping it as-is is fine, but this is simply more accurate.

I updated it to link to the latest release because I don't expect it to change much, and don't want to have to chase version numbers.

[vvysokikh1]

really don't know how to say this without sounding like a complete joy-kill, but 1.87 is latest...

[bthomee]

What are the consequences if the synchronous caller calls it multiple times? Can we protect against that, or at least detect it, and would it make sense to do so?

[ximinez]

What are the consequences if the synchronous caller calls it multiple times? Can we protect against that, or at least detect it, and would it make sense to do so?

If it calls them sequentially, then it'll just rotate multiple times, which would be dumb. If it calls them in parallel, all but one will fail. If it calls it recursively through the callback, the recursive call will fail.

I've added test cases that demonstrate all three of those possibilities, though the focus is on the latter two.

[bthomee]

Is there a risk that readers keep arriving such that the shared lock is always held for reading by at least one of them, and therefore starving the writer?

[vvysokikh1]

Yeah, I think such situation is theoretically possible. I'm not sure this is actually the case here but if we decide on preventing this, there's no standard C++ or Boost locks that could provide writer fairness. If we decide to ensure this, something like this would be required:

    boost::shared_mutex mutex_;
    std::atomic<bool> writerWaiting_{false};
    
    void anyReadFunction() {
        while(writerWaiting_.load(std::memory_order_acquire)) {
            std::this_thread::yield(); // Back off if writer is waiting
        }
        boost::shared_lock lock(mutex_);
        ...
    }
    
    void rotateWithLock(....) {
        boost::upgrade_lock<boost::shared_mutex> upgradeLock(mutex_);
        ...
        writerWaiting_.store(true, std::memory_order_release); // should do it RAII-way, this is an example 
        boost::upgrade_to_unique_lock<boost::shared_mutex> writeLock(upgradeLock);
        ...
        writerWaiting_.store(false, std::memory_order_release);
    }
    ```

[ximinez]

The description for shared_mutex includes:

Note the the lack of reader-writer priority policies in shared_mutex. This is due to an algorithm credited to Alexander Terekhov which lets the OS decide which thread is the next to get the lock without caring whether a unique lock or shared lock is being sought. This results in a complete lack of reader or writer starvation. It is simply fair.

Since upgrade_mutex is an extension I think it's safe to assume it uses the same algorithm.

[vvysokikh1]

I don't think this is applicable. Bart mentions the situation where writer would never have a chance to acquire lock since there's always some read threads holding the lock (they can always enter as other read locks won't prevent it).

This is highly theoretical situation though, I don't think we can hit this here.

EDIT: looking into the implementation of upgrade_mutex, I can see that this seems to be addressed here. Not a issue.

[Bronek]

I do not like that now the code which is meant to be more robust, has apparently become more brittle by the switch to shared_lock which needs to be upgraded in the critical section. Maybe I simply do not understand the rationale.

[Bronek]

I think that we do not need to pass a lambda to rotateWithLock at all. I do not see a reason that there should be a second call to clearCaches or update of state_db_ in SHAMapStoreImp::run, both in a critical section controlled by DatabaseRotatingImp. We most likely do not need that second call to clearCaches, and the update of state_db_ could be most likely moved outside of this critical section. See in #5286 what I mean @ximinez

[bthomee]

The rotate function accepts a function, and then creates and uses another temporary function, which seems needlessly complicated. Can this be simplified?

[ximinez]

Yes. I could revert 4986662 (#5276), which I wrote that way to make all those local variables const.