KAFKA-10790: Add deadlock detection to producer#flush

[frankvicky]

JIRA: KAFKA-10790

As we already know, the callback of Producer#send is executed by the ioThread. Due to this design, many application bugs have been caused by calling Producer#flush in callback，which leads to deadlocks. This PR aims to add protection against such scenarios.

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[AndrewJSchofield]

Thanks for the PR. This seems like a useful enhancement to me.

Please update the upgrade documentation too. This is a small change in behaviour which will affect anyone who is using flush() inside a callback.

[AndrewJSchofield]

Is this setting relevant? Having it in this test makes me think that the test would only work with it, but I do not believe that to be the case.

[frankvicky]

This setting aims to simplify our test case. Here's my understanding—please correct me if I'm wrong:
Since idempotence is enabled by default, if we don't explicitly set it to false, we would need to prepare additional data to go through the idempotence flow. I believe this is unnecessary for this test case, so I will add a comment to clarify. WDYT?

[AndrewJSchofield]

OK, I see. It prevents needing to do the init producer id stuff. Makes sense to me.

[AndrewJSchofield]

I would change the wording here because actually the code is preventing the call and that means there is no risk of a deadlock. Something like "KafkaProducer.flush() invocation detected inside callback. This is not permitted because of the risk of deadlock."

The message in the exception could be the same. The choice of KafkaException seems most appropriate to me.

[TaiJuWu]

I would like to know this log is necessary? In my opinion, this information is already recorded by KafkaException.

[frankvicky]

I think it's ok to use both logging and exceptions simultaneously, as the user might want immediate hints displayed on the console.

[TaiJuWu]

LGTM

[AndrewJSchofield]

I suggest that the KafkaProducer javadoc should be altered as well. That's the most likely place that a programmer will notice.

[AndrewJSchofield]

This could be more explicit, like the message in the exception added to KafkaProducer. You are not allowed to use flush() in the callback. Maybe "The flush method now includes deadlock detection preventing its use inside a callback. This avoids unintended blocking which has been known to occur prior to this change." Something like that. We want someone reading this to understand that they must not use flush in the callback.

[AndrewJSchofield]

The code looks good to me, but I don't think we are ready to merge yet.

I've been thinking about the mechanics of delivering this into AK, and this is definitely a change in behaviour of a public interface, which means a KIP is required. It's true that it's preventing an unsafe behaviour which is categorically a good thing, but if someone has an application which is doing this, their code will break following this change. @frankvicky, do you agree? Can you create a KIP to make sure we have community alignment?

Without a KIP, we cannot throw the exception, but we can log the message and update the javadoc.

[chia7712]

but if someone has an application which is doing this, their code will break following this change. @frankvicky, do you agree? Can you create a KIP to make sure we have community alignment?
Without a KIP, we cannot throw the exception, but we can log the message and update the javadoc.

Yes, it’s definitely worth having a KIP. The KIP should not only cover the behavior changes but also facilitate discussions on other potential approaches—for instance, adding a log message instead of throwing an exception.

[frankvicky]

Hello @AndrewJSchofield
I think you are right. Since Kafka usually considers exceptions as part of the public API, this change will require a KIP.
I will prepare one soon.

[frankvicky]

Hello everyone,
I have filed KIP-1118 for this issue, PTAL.

[AndrewJSchofield]

Hi @frankvicky. I think we can get some of the benefit here in spite of the fact that the KIP is too late for AK 4.0. I suggest you change this PR to alter that javadoc to say "This method should not be used" rather than "must not". You can log the error if flush is used in the callback. You cannot throw the KafkaException. What do you think?

[chia7712]

I think we can get some of the benefit here in spite of the fact that the KIP is too late for AK 4.0. I suggest you change this PR to alter that javadoc to say "This method should not be used" rather than "must not". You can log the error if flush is used in the callback. You cannot throw the KafkaException. What do you think?

If we want to avoid introducing behavior changes in version 4.0, adding documentation and logging is an appropriate solution. @frankvicky, could you please file a MINOR issue to address @AndrewJSchofield's comment? In the minor PR, we don't introduce any behavior changes but enrich the documentation and logging.

[frankvicky]

Hi @AndrewJSchofield @chia7712
No problem. I will file a PR soon.

[frankvicky]

This is minor PR: #18112

[frankvicky]

Hi @AndrewJSchofield @chia7712
Since the KIP has been accepted, I think we could merge this one.
WDYT?

[AndrewJSchofield]

@frankvicky It is unfortunate this behaviour change didn't make the 4.0 deadline. Personally, because the old behaviour was liable to cause deadlocks, I'm good with making such a change in 4.1. @chia7712 What do you think?

[AndrewJSchofield]

The code looks good to me. Just one documentation comment.

[AndrewJSchofield]

This text now needs to be in an "upgrading to 4.1" section.

[chia7712]

I agree with @AndrewJSchofield that this PR will not be backported to the 4.0 release. Therefore, this change should not be included in the "upgrade_4_0_0" chapter. @frankvicky, could you please create a new chapter titled "upgrade_4_1_0" and move this documentation to the "upgrade_4_1_0" chapter?

[frankvicky]

I have applied the suggestion. Here is the preview: