[SERVER-46667] Avoid invariant from invalid candidateIndex Created: 05/Mar/20 Updated: 29/Oct/23 Resolved: 25/Mar/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Replication |
| Affects Version/s: | None |
| Fix Version/s: | 4.4.0-rc1, 4.7.0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Siyuan Zhou | Assignee: | A. Jesse Jiryu Davis |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||||||||||
| Backport Requested: |
v4.4, v4.2, v4.0
|
||||||||||||||||||||||||||||||||||||
| Sprint: | Repl 2020-03-23, Repl 2020-04-06 | ||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||||||||||||||
| Description |
|
Original title and description: "Audit config reference and comparison across config versions". In Safe Reconfig project, we allow data replication across config version and voting across config version. We need to audit config reference and member index comparison across config versions to avoid index comparison across config versions. |
| Comments |
| Comment by A. Jesse Jiryu Davis [ 13/Apr/20 ] |
|
It's necessary - this audit produced one bugfix. I'll change the title. |
| Comment by Siyuan Zhou [ 13/Apr/20 ] |
|
jesse, this ticket is about a small fix to prevent an out-of-bound candidateIndex, so can we change the title? Since we only vote if the candidate is in the same config in all versions now, is it still necessary? |
| Comment by A. Jesse Jiryu Davis [ 13/Apr/20 ] |
|
Requesting backport to 4.0 to preempt any BFs on the 4.0 branch. |
| Comment by Githook User [ 10/Apr/20 ] |
|
Author: {'name': 'A. Jesse Jiryu Davis', 'email': 'jesse@mongodb.com', 'username': 'ajdavis'}Message: (cherry picked from commit 5adb80de95ab4f7784eb2905f82e4d8712578e3a) |
| Comment by Githook User [ 17/Mar/20 ] |
|
Author: {'name': 'A. Jesse Jiryu Davis', 'username': 'ajdavis', 'email': 'jesse@mongodb.com'}Message: |
| Comment by A. Jesse Jiryu Davis [ 17/Mar/20 ] |
|
Next: unsafe use of primary member index in shouldChangeSyncSource(). |
| Comment by Siyuan Zhou [ 12/Mar/20 ] |
|
In election, the last vote records the candidate index given by the candidate, however, if the candidate has a different config, the index isn't meaningful anymore. We need to investigate either the inconsistency can lead to correctness issues. We could either reject the vote if the config version isn't the same, assuming config versions are unique. After a few heartbeats, they should be on the same config. This may cause liveness issues in the TLA+ spec, however if we assume heartbeats will run eventually, it seems fine to me. We can update the TLA+ spec to confirm the liveness. Alternatively, we may record the candidate's ID rather than index since we assume nodes never change their ID, but we need to update the vote request messages and the on-disk last vote. There might be upgrade/downgrade issues. |