[fix][broker] Fix potential to add duplicated consumer

[poorbarcode]

Motivation

It's because of this issue #13787.
Then diving into the codes, I find that if the client tries to subscribe multiple times over a short period of time, it is possible to have more than one consumer at the same dispatcher. just like below:

for ( long requestId = 1; i < 5; i++ ){
  ByteBuf request1 = Commands.newSubscribe(topic, subscription, consumerId, requestId , getSubType(),
          priorityLevel, consumerName, isDurable, startMessageIdData, metadata, readCompacted,
          conf.isReplicateSubscriptionState(),
          InitialPosition.valueOf(subscriptionInitialPosition.getValue()),
          startMessageRollbackDuration, si, createTopicIfDoesNotExist, conf.getKeySharedPolicy(),
          // Use the current epoch to subscribe.
          conf.getSubscriptionProperties(), CONSUMER_EPOCH.get(this));
  cnx.sendRequestWithId(request1, requestId).thenRun(() -> {});
}

The root cause is below snippet:

pulsar/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java

Lines 994 to 1021 in c2c05c4

	if (existingConsumerFuture != null) {
	if (existingConsumerFuture.isDone() && !existingConsumerFuture.isCompletedExceptionally()) {
	Consumer consumer = existingConsumerFuture.getNow(null);
	log.info("[{}] Consumer with the same id is already created:"
	+ " consumerId={}, consumer={}",
	remoteAddress, consumerId, consumer);
	commandSender.sendSuccessResponse(requestId);
	return null;
	} else {
	// There was an early request to create a consumer with same consumerId. This can happen
	// when
	// client timeout is lower the broker timeouts. We need to wait until the previous
	// consumer
	// creation request either complete or fails.
	log.warn("[{}][{}][{}] Consumer with id is already present on the connection,"
	+ " consumerId={}", remoteAddress, topicName, subscriptionName, consumerId);
	ServerError error = null;
	if (!existingConsumerFuture.isDone()) {
	error = ServerError.ServiceNotReady;
	} else {
	error = getErrorCode(existingConsumerFuture);
	consumers.remove(consumerId, existingConsumerFuture);
	}
	commandSender.sendErrorResponse(requestId, error,
	"Consumer is already present on the connection");
	return null;
	}
	}

If the consumer1 comes and is not done, then the same consumer2(it's the same with consumer1) comes, it may remove the prior consumer1(line 1015), but consumer1 add to subscription success in the end, Then the same cusumer3 comes, and it succeed, and will cause the same consumer to add duplicated.

The right way to remove consumer (line 1015) is when the existingConsumerFuture is completedExceptionally.

Even though the Java client couldn't occur the above behavior, other clients may not. So it's better to handle subscribe correctly on the broker side.

Modifications

Modify the process execution sequence to improve stability

Verifying this change

• Make sure that the change passes the CI checks.

Documentation

• no-need-doc

• doc-not-needed

[RobertIndie]

Seems that this PR only enhances the exception handling. Could you provide more information on how this PR fixed the duplicated consumer issue?

[RobertIndie]

Thanks for your explanation. LGTM

[poorbarcode]

Seems that this PR only enhances the exception handling. Could you provide more information on how this PR fixed the duplicated consumer issue?

The key point for the problem was "possibly delete a running CompletableFuture", the logic of the original code was not rigorous enough. this PR solved it.

[lhotari]

Good catch.

Please improve the error message.

[lhotari]

Seems that this PR only enhances the exception handling. Could you provide more information on how this PR fixed the duplicated consumer issue?

The key point for the problem was "possibly delete a running CompletableFuture", the logic of the original code was not rigorous enough. this PR solved it.

I was wondering about the same thing whether this is just a refactoring. This does fix a race condition in providing the error message. It's possible the the CompletableFuture completes after it has been checked in the first place.

                    if (existingConsumerFuture.isDone() && !existingConsumerFuture.isCompletedExceptionally()) {

In that case, the old code might have provided a wrong error code and removed the future.

                        if (!existingConsumerFuture.isDone()) {
                            error = ServerError.ServiceNotReady;
                        } else {
                            error = getErrorCode(existingConsumerFuture);
                            consumers.remove(consumerId, existingConsumerFuture);
                        }

@poorbarcode I don't think that this PR prevents duplicated consumers. Could you explain how it achieves that?

[poorbarcode]

Seems that this PR only enhances the exception handling. Could you provide more information on how this PR fixed the duplicated consumer issue?

The key point for the problem was "possibly delete a running CompletableFuture", the logic of the original code was not rigorous enough. this PR solved it.

I was wondering about the same thing whether this is just a refactoring. This does fix a race condition in providing the error message. It's possible the the CompletableFuture completes after it has been checked. In that case, the old code might have provided a wrong error code.

@poorbarcode I don't think that this PR prevents duplicated consumers. Could you explain how it achieves that?

@lhotari @RobertIndie

This PR fixed that : When things go wrong with consumer operations, duplicated consumers registry.

You can reproduce the problem like this (The code is in the attachment):

• Override ConsumerImpl.java by acttachment file. These change will Execute command-Subscribe more times in a short time
• Overide ServerCnx.java by acttachment file. These change controls the execution order of multiple threads, increasing the probability of problems to 100%
• Add SubscribeProcessController.java with attachment file. It is multi thread execution-order-controller

ConsumerImpl.java.txt
ServerCnx.java.txt
SubscribeProcessController.java.txt

[lhotari]

@poorbarcode I don't think that this PR prevents duplicated consumers. Could you explain how it achieves that?

@lhotari @RobertIndie

This PR fixed that : When things go wrong with consumer operations, duplicated consumers registry.

You can reproduce the problem like this (The code is in the attachment):

I'm sorry I didn't explain clearly what I meant. Please explain how this PR prevents adding duplicate consumers. I don't see a chance in behavior for that particular detail. I do acknowledge that this PR makes sense to fix a race where the consumer gets removed when it shouldn't. (I explained that in my previous comment). However, I don't see how this prevents adding of duplicate consumers which appears in #14970.

[poorbarcode]

@poorbarcode I don't think that this PR prevents duplicated consumers. Could you explain how it achieves that?

@lhotari @RobertIndie
This PR fixed that : When things go wrong with consumer operations, duplicated consumers registry.
You can reproduce the problem like this (The code is in the attachment):

I'm sorry I didn't explain clearly what I meant. Please explain how this PR prevents adding duplicate consumers. I don't see a chance in behavior for that particular detail. I do acknowledge that this PR makes sense to fix a race where the consumer gets removed when it shouldn't. (I explained that in my previous comment). However, I don't see how this prevents adding of duplicate consumers which appears in #14970.

It's just a guess at one of the possibilities for "Why #14970 problem happend".

Because there has only one instance in consumerSet, so two consumer instance has same address & consumerId, so there are only two possibilities:

• Consumer restart use same SocketAddress.
• One consumer instance execute command-subscribe more times in a short time.

After code-review on the second possibility, finds possibility-case and fixed it.

Maybe there are other problems that can reproduce #14970 problem

[lhotari]

It's just a guess at one of the possibilities for "Why #14970 problem happend".

Because there has only one instance in consumerSet, so two consumer instance has same address & consumerId, so there are only two possibilities:

• Consumer restart use same SocketAddress.
• One consumer instance execute command-subscribe more times in a short time.

After code-review on the second possibility, finds possibility-case and fixed it.

Maybe there are other problems that can reproduce #14970 problem

I don't think that this PR fixes that issue. ServerCnx is tied to a single TCP/IP connection and even without the changes in this PR, duplicates on the same connection are prevented.

As mentioned before, this PR is useful since it fixes a race condition and returns ServiceNotReady in the case that the future completes after the check has been made (as explained in #15051 (comment)).

[lhotari]

poorbarcode reopened this 1 hour ago

/pulsarbot run-failure-checks

Please be aware of this: apache/pulsar-test-infra#28 (comment)

There shouldn't be a need to close & re-open the PR to rerun failed jobs. Please read the above explanations to understand what some failures are about. They don't need to clear off to be able to merge the PR.

[poorbarcode]

/pulsarbot run-failure-checks

Please be aware of this: apache/pulsar-test-infra#28 (comment)

There shouldn't be a need to close & re-open the PR to rerun failed jobs. Please read the above explanations to understand what some failures are about. They don't need to clear off to be able to merge the PR.

Sorry. I click on the wrong button

[poorbarcode]

I don't think that this PR fixes that issue. ServerCnx is tied to a single TCP/IP connection and even without the changes in this PR, duplicates on the same connection are prevented.

@lhotari
Maybe you ignored the async-execute-code in ServerCnx.handleSubscribe. if without async-execute, you are right: "all task will run at same eventLoop". So I still think I'm right: "this PR fixed #14970 problem, a part of possible"

[congbobo184]

good catch! cloud you please add a test for test, prevent it from being changed back later

[gaoran10]

LGTM. Great work! Please add a unit test to prevent regression.

[poorbarcode]

/pulsarbot run-failure-checks

[poorbarcode]

/pulsarbot run-failure-checks

[poorbarcode]

@codelipenghui Could you take a look ?

[poorbarcode]

/pulsarbot run-failure-checks

[BewareMyPower]

@poorbarcode Could you migrate this PR to branch-2.8? It looks like the Mockito version of branch-2.8 doesn't support the creation of static mocks.

org.mockito.exceptions.base.MockitoException: 
The used MockMaker PowerMockMaker does not support the creation of static mocks

Mockito's inline mock maker supports static mocks based on the Instrumentation API.
You can simply enable this mock mode, by placing the 'mockito-inline' artifact where you are currently using 'mockito-core'.
Note that Mockito's inline mock maker is not supported on Android.

	at org.apache.pulsar.broker.service.ServerCnxTest.testNeverDelayConsumerFutureWhenNotFail(ServerCnxTest.java:1921)

[poorbarcode]

@poorbarcode Could you migrate this PR to branch-2.8? It looks like the Mockito version of branch-2.8 doesn't support the creation of static mocks.

ok. see #16826