Fix race between canHandle() and addSegment() in StorageLocation

[jihoonson]

Description

Historicals can use multiple threads to load segments in parallel from deep storage now (#7088, #4966). This could lead an incorrect computation of remaining space in StorageLocation.

The current pattern to use StorageLocation is:

if (location.canHandle(segment)) {
  // load segment files into the location
  location.addSegment(segment);
}

Even though each of canHandle() and addSegment() is synchronized, they are not atomically executed which could lead a wrong estimation of the available space.

This PR fixes this problem to add a new method, reserve(), to StorageLocation. reserve() basically does what canHandle() and addSegment() atomically. If some error occurs after reserve(), the caller should call remove(segment) to release the reserved space.

---

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added unit tests or modified existing tests to cover new code paths.

[leventov]

@jihoonson please don't remove "this PR has been reviewed with concurrency checklist" item from the list since this PR does have relation to concurrency.

[jihoonson]

@leventov added back.

[clintropolis]

overall lgtm 👍

[clintropolis]

This javadoc is semi confusing because reserve calls canHandle?

[jihoonson]

Tried to make it clear.

[clintropolis]

nit: were these <p> added accidentally?

[jihoonson]

Hmm, these are actually inserted by Intellij's auto indentation based on the code style. It seems legit?

[clintropolis]

Hmm, I think there is maybe some reason why this isn't in the code style - i remember being told to remove these in the past and to manually adjust intellij to not insert them, I'll see if I can find the reason.

[gianm]

I think the reason we usually avoid them is that they look silly, and also aren't adding anything useful since Druid javadocs are mostly read in source form anyway. It's not a big deal either way. Maybe one day someone will add a style rule for it and get rid of them all.

[jihoonson]

👍 Removed it.

[clintropolis]

After thinking about it a bit, it doesn't seem particularly beneficial for StorageLocation to have to be aware of DataSegment and SegmentId, since DataSegment is only used as a shorthand to get the size and SegmentId, and the SegmentId is only used for logging. It seems like reworking this might make the implementation of StorageLocation a bit more simple and allow IntermediaryDataManager and SegmentLoaderLocalCacheManager to use the same reserve and remove methods. I would consider this optional however, up to you if you want to investigate.

[jihoonson]

I already looked into that way. The thing is, the way to use StorageLocation is different in IntermediaryDataManager and SegmentLoaderLocalCacheManager. In IntermediaryDataManager, the compressed segment files are stored and registered in StorageLocation. In SegmentLoaderLocalCacheManager, the uncompressed segment directories are registered in StorageLocation. This led to use different size computations in removeFile(File) and removeSegmentDir(File, DataSegment). I wanted to make sure that the caller must be aware of what it's registering and call the right method.

I guess we could have an abstract StorageLocation class and its two implementations for different use cases. But I'm not sure it's super beneficial at this point because StorageLocation is still pretty simple.

[clintropolis]

Thanks for the explanation, sgtm 👍

[leventov]

Can catch narrower exception type?

[jihoonson]

This is to print something in the log file so that operators could notice that something happened.

[leventov]

This is generally considered an antipattern to catch everything just in case unless the exception is rethrown in the catch block. Could catch only IOExceptions?

[jihoonson]

Sorry, I was confused with what part you were saying. It sounds good. Fixed.

[leventov]

"Print only log" - a strange phrase. Perhaps it should be just "Only log"

[jihoonson]

Thanks, fixed.

[leventov]

Can call this field maxSizeBytes

[jihoonson]

Done.

[leventov]

Please turn this comment into a Javadoc comment.

[jihoonson]

Done.

[leventov]

Same

[jihoonson]

Done.

[leventov]

"All accesses must be synchronized with files." can be replaced with @GuardedBy("this"). Other fields in this class should be annotated, too. See https://github.com/code-review-checklists/java-concurrency#guarded-by

[leventov]

Can call this field currSizeBytes

[jihoonson]

Good convention. Added.

[leventov]

I suggest to call this method "availableSizeBytes"

[jihoonson]

Renamed.

[leventov]

This method should be annotated @GuardedBy("this"). See https://github.com/code-review-checklists/java-concurrency#guarded-by

[jihoonson]

Added.

[clintropolis]

lgtm 👍

[clintropolis]

Thanks for the explanation, sgtm 👍

[jihoonson]

@leventov do you have more comments on this pr?

[leventov]

This is generally considered an antipattern to catch everything just in case unless the exception is rethrown in the catch block. Could catch only IOExceptions?

[leventov]

"All accesses must be synchronized with files." sentence is strange. It seems to me that it should be just removed, GuardedBy already says everything needed.

[jihoonson]

Removed.

[leventov]

Same about "All accesses must be synchronized with currSizeBytes."

[leventov]

Could be under {@link #path}.

[jihoonson]

Done.

[leventov]

Comparator.comparingLong(StorageLocation::availableSizeBytes).reversed() would be clearer

[jihoonson]

Done.

[leventov]

Could be comparingLong?

[jihoonson]

Oh yeah. Fixed.