UNDERTOW-1794 DefaultAccessLogReceiver violates Closeable contract #1041
Conversation
| if (stateUpdater.compareAndSet(this, 3, 1)) { | ||
| logWriteExecutor.execute(this); | ||
| for (int i = 0; i < 1000 && !this.closed && !pendingMessages.isEmpty(); ++i) { | ||
| final String msg = pendingMessages.poll(); |
There was a problem hiding this comment.
It might be better to use peek()+remove() here. Though Id assume follow up might be better than to alter PRs ad hoc.
There was a problem hiding this comment.
@baranowb because this class has concurrent access, poll is better than peek() + remove(). Between the moment we invoke peek() and the moment we invoke remove, we risk having another thread executing flushAndTerminate. This is why we need to run poll() here.
There was a problem hiding this comment.
There is trade off. It is possible that XNIO thread will be terminated between poll() and write(), leaking one message.
If its peek()+remove(), it might double entry, but not loose it. Its a trade off.
There was a problem hiding this comment.
You're right about it. My question is now is hot to prevent both scenarios. Is there some way we can synchronize just a little bit to prevent a duplicate entry in the log? I think we must prevent an output that will be considered buggy by users if someone finds a duplicate entry after shutting down the server.
There was a problem hiding this comment.
Not unless we control threat termination, which we dont.
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Outdated
Show resolved
Hide resolved
| closed = true; | ||
| if (stateUpdater.compareAndSet(this, 0, 1)) { | ||
| logWriteExecutor.execute(this); | ||
| this.closed = true; |
There was a problem hiding this comment.
method must take into account that the state could change between one if and the other. So, there is a possibility that all stateUpdater checks return false.
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Outdated
Show resolved
Hide resolved
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Outdated
Show resolved
Hide resolved
| try { | ||
| while (!this.pendingMessages.isEmpty()) { | ||
| final String msg = this.pendingMessages.poll(); | ||
| // TODO: clarify this, how is this possible? |
There was a problem hiding this comment.
It might not be possible. Lets wait for the final version of the code of run() and close() to decide this
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Show resolved
Hide resolved
fl4via
added
the
new feature/API change
|
as this is a new feature, merging of this PR will require synchronization with the RFE process. I'll assist in having all the process followed as fast as we can to have this merged the soonest. |
baranowb
force-pushed
the
UNDERTOW-1794
branch
from
febb374 to
7beb8be
Compare
baranowb
force-pushed
the
UNDERTOW-1794
branch
2 times, most recently
from
bb266f8 to
8407e8d
Compare
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Show resolved
Hide resolved
| doRotate(); | ||
| private void writeMessage(final String message) { | ||
| //NOTE: is there a need to rotate on write? | ||
| //if (System.currentTimeMillis() > changeOverPoint) { |
There was a problem hiding this comment.
Yes, but only once per run. Now that this method is called per message it is no longer the adequate place for that.
There was a problem hiding this comment.
Probably we should add the limit to 1000 here? I think it would perform a bit better.
There was a problem hiding this comment.
I still stand my ground, I think the granularity of checking 1000 here performs better.
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Show resolved
Hide resolved
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Outdated
Show resolved
Hide resolved
fl4via
added
the
waiting PR update
| void accessLogWorkerFailureOnTransition(); | ||
|
|
||
| @LogMessage(level = DEBUG) | ||
| @Message(id = 6000, value = "Access Log Worker failed to reschedule.") |
There was a problem hiding this comment.
Big brain math....
There was a problem hiding this comment.
On the other hand - no one noticed :)
baranowb
added
enhancement
baranowb
dismissed
fl4via’s stale review
I cant find this one to mark it as outdated, lets reset.
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Show resolved
Hide resolved
| //Log handler is closing, other resources should as well, there shouldn't | ||
| //be resources served that required this to log stuff into AL file. | ||
| throw UndertowMessages.MESSAGES.failedToLogAccessOnClose(); | ||
| } |
There was a problem hiding this comment.
just a thought, has this been tested? Is it better to silently not log the message or to throw an exception?
My first idea is throwing an exception, but still I need to know if the consequences of this exception have been explored and double-checked as harmless.
There was a problem hiding this comment.
Well. Its a tricky scenario. When this happens, every connection/exchange should/will be purged.
When exception is thrown, it potentially wont allow to close connection.
There was a problem hiding this comment.
Also, note that its expected behavior from closed resource.
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Show resolved
Hide resolved
| logWriteExecutor.execute(this); | ||
| for (int i = 0; i < 1000 && !this.closed && !pendingMessages.isEmpty(); ++i) { | ||
| final String msg = pendingMessages.peek(); | ||
| if (msg == null) { |
There was a problem hiding this comment.
it is not supposed to be null, because you are checking it is not empty
| if (stateUpdater.compareAndSet(this, 3, 1)) { | ||
| logWriteExecutor.execute(this); | ||
| for (int i = 0; i < 1000 && !this.closed && !pendingMessages.isEmpty(); ++i) { | ||
| final String msg = pendingMessages.peek(); |
There was a problem hiding this comment.
I might be looking too much into details here, but why peeking and removing instead of just polling?
There was a problem hiding this comment.
in case there is some intermitent IO failure, it should not purge entries without writing them first. Though, in such case, some overflow mechanism should be in place as well?
There was a problem hiding this comment.
Also "i < 1000 && !this.closed &&" checking this in loop might not be best, should be enough to loop through and check at the end IMHO
| } | ||
| } | ||
| }finally { | ||
| // flush what we might have |
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Outdated
Show resolved
Hide resolved
| } | ||
| return; | ||
| } else { | ||
| if (!pendingMessages.isEmpty() || forceLogRotation) { |
There was a problem hiding this comment.
I have been thinking... we still need a state for being at the finally block, as it prevents us from having more than one thread scheduling a new execution of run at the same time
There was a problem hiding this comment.
how? if there is nothing in pendingMessages, it does not need scheduling, if someone writes, it will be able to schedule. In reality, pendingMessages are filled before state change, so its just a race between logMessage thread and run() to schedule new execution.
| @@ -59,7 +58,7 @@ public class DefaultAccessLogReceiver implements AccessLogReceiver, Runnable, Cl | |||
| //0 = not running | |||
| //1 = queued | |||
| //2 = running | |||
| //3 = final state of running (inside finally of run()) | |||
There was a problem hiding this comment.
I added a comment down below that we will still need state 3 to be used to keep tracking of being at finally of run)
That being said what are we trying to achieve with the new state 3? (It will have to be moved to 4 if we decide to keep it)> Are we trying to prevent run from doing anything after closed is invoked? Is that its purpose?
There was a problem hiding this comment.
okay, it is clearly stated in the Jira: we want to make sure that close returns only after it is fully closed. The question that remains is if we need a new state for it, I think we need so we can fully skip the rest of the execution of run() in case it is closing, without having to resort to verifying the value of close.
There was a problem hiding this comment.
I dont think so. Its a bit different FSM/CAS that was present before. It relied only on worker threads to dump messages even when handler has been closed and once its done close. This cant be done now since those worker threads may be disabled( upstream issue)
| doRotate(); | ||
| private void writeMessage(final String message) { | ||
| //NOTE: is there a need to rotate on write? | ||
| //if (System.currentTimeMillis() > changeOverPoint) { |
There was a problem hiding this comment.
I still stand my ground, I think the granularity of checking 1000 here performs better.
baranowb
force-pushed
the
UNDERTOW-1794
branch
4 times, most recently
from
3b217e9 to
65e2b2b
Compare
There was a problem hiding this comment.
Hi @baranowb
Thanks! The PR looks good, I have added some minor comments.
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Outdated
Show resolved
Hide resolved
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Outdated
Show resolved
Hide resolved
core/src/main/java/io/undertow/server/handlers/accesslog/DefaultAccessLogReceiver.java
Outdated
Show resolved
Hide resolved
ISSUE: https://issues.redhat.com/browse/UNDERTOW-1794
related to: https://issues.redhat.com/browse/EAP7-1642