[invirt/third/libt4.git] / rsm.cc

//
// Replicated state machine implementation with a primary and several
// backups. The primary receives requests, assigns each a view stamp (a
// vid, and a sequence number) in the order of reception, and forwards
// them to all backups. A backup executes requests in the order that
// the primary stamps them and replies with an OK to the primary. The
// primary executes the request after it receives OKs from all backups,
// and sends the reply back to the client.
//
// The config module will tell the RSM about a new view. If the
// primary in the previous view is a member of the new view, then it
// will stay the primary.  Otherwise, the smallest numbered node of
// the previous view will be the new primary.  In either case, the new
// primary will be a node from the previous view.  The configuration
// module constructs the sequence of views for the RSM and the RSM
// ensures there will be always one primary, who was a member of the
// last view.
//
// When a new node starts, the recovery thread is in charge of joining
// the RSM.  It will collect the internal RSM state from the primary;
// the primary asks the config module to add the new node and returns
// to the joining the internal RSM state (e.g., paxos log). Since
// there is only one primary, all joins happen in well-defined total
// order.
//
// The recovery thread also runs during a view change (e.g, when a node
// has failed).  After a failure some of the backups could have
// processed a request that the primary has not, but those results are
// not visible to clients (since the primary responds).  If the
// primary of the previous view is in the current view, then it will
// be the primary and its state is authoritive: the backups download
// from the primary the current state.  A primary waits until all
// backups have downloaded the state.  Once the RSM is in sync, the
// primary accepts requests again from clients.  If one of the backups
// is the new primary, then its state is authoritative.  In either
// scenario, the next view uses a node as primary that has the state
// resulting from processing all acknowledged client requests.
// Therefore, if the nodes sync up before processing the next request,
// the next view will have the correct state.
//
// While the RSM in a view change (i.e., a node has failed, a new view
// has been formed, but the sync hasn't completed), another failure
// could happen, which complicates a view change.  During syncing the
// primary or backups can timeout, and initiate another Paxos round.
// There are 2 variables that RSM uses to keep track in what state it
// is:
//    - inviewchange: a node has failed and the RSM is performing a view change
//    - insync: this node is syncing its state
//
// If inviewchange is false and a node is the primary, then it can
// process client requests. If it is true, clients are told to retry
// later again.  While inviewchange is true, the RSM may go through several
// member list changes, one by one.   After a member list
// change completes, the nodes tries to sync. If the sync complets,
// the view change completes (and inviewchange is set to false).  If
// the sync fails, the node may start another member list change
// (inviewchange = true and insync = false).
//
// The implementation should be used only with servers that run all
// requests run to completion; in particular, a request shouldn't
// block.  If a request blocks, the backup won't respond to the
// primary, and the primary won't execute the request.  A request may
// send an RPC to another host, but the RPC should be a one-way
// message to that host; the backup shouldn't do anything based on the
// response or execute after the response, because it is not
// guaranteed that all backup will receive the same response and
// execute in the same order.
//
// The implementation can be viewed as a layered system:
//       RSM module     ---- in charge of replication
//       config module  ---- in charge of view management
//       Paxos module   ---- in charge of running Paxos to agree on a value
//
// Each module has threads and internal locks. Furthermore, a thread
// may call down through the layers (e.g., to run Paxos's proposer).
// When Paxos's acceptor accepts a new value for an instance, a thread
// will invoke an upcall to inform higher layers of the new value.
// The rule is that a module releases its internal locks before it
// upcalls, but can keep its locks when calling down.

#include <sys/types.h>
#include <unistd.h>

#include "types.h"
#include "handle.h"
#include "rsm.h"
#include "rsm_client.h"

rsm::rsm(const string & _first, const string & _me) :
    stf(0), primary(_first), insync (false), inviewchange (true), vid_commit(0),
    partitioned (false), dopartition(false), break1(false), break2(false)
{
    cfg = new config(_first, _me, this);

    if (_first == _me) {
        // Commit the first view here. We can not have acceptor::acceptor
        // do the commit, since at that time this->cfg is not initialized
        commit_change(1);
    }
    rsmrpc = cfg->get_rpcs();
    rsmrpc->reg(rsm_client_protocol::invoke, &rsm::client_invoke, this);
    rsmrpc->reg(rsm_client_protocol::members, &rsm::client_members, this);
    rsmrpc->reg(rsm_protocol::invoke, &rsm::invoke, this);
    rsmrpc->reg(rsm_protocol::transferreq, &rsm::transferreq, this);
    rsmrpc->reg(rsm_protocol::transferdonereq, &rsm::transferdonereq, this);
    rsmrpc->reg(rsm_protocol::joinreq, &rsm::joinreq, this);

    // tester must be on different port, otherwise it may partition itself
    testsvr = new rpcs((in_port_t)stoi(_me) + 1);
    testsvr->reg(rsm_test_protocol::net_repair, &rsm::test_net_repairreq, this);
    testsvr->reg(rsm_test_protocol::breakpoint, &rsm::breakpointreq, this);

    {
        lock ml(rsm_mutex);
        thread(&rsm::recovery, this).detach();
    }
}

void rsm::reg1(int proc, handler *h) {
    lock ml(rsm_mutex);
    procs[proc] = h;
}

// The recovery thread runs this function
void rsm::recovery() [[noreturn]] {
    bool r = true;
    lock ml(rsm_mutex);

    while (1) {
        while (!cfg->ismember(cfg->myaddr(), vid_commit)) {
            // XXX iannucci 2013/09/15 -- I don't understand whether accessing
            // cfg->view_id in this manner involves a race.  I suspect not.
            if (join(primary, ml)) {
                LOG("recovery: joined");
                commit_change(cfg->view_id(), ml);
            } else {
                ml.unlock();
                this_thread::sleep_for(seconds(30)); // XXX make another node in cfg primary?
                ml.lock();
            }
        }
        vid_insync = vid_commit;
        LOG("recovery: sync vid_insync " << vid_insync);
        if (primary == cfg->myaddr()) {
            r = sync_with_backups(ml);
        } else {
            r = sync_with_primary(ml);
        }
        LOG("recovery: sync done");

        // If there was a commited viewchange during the synchronization, restart
        // the recovery
        if (vid_insync != vid_commit)
            continue;

        if (r) {
            myvs.vid = vid_commit;
            myvs.seqno = 1;
            inviewchange = false;
        }
        LOG("recovery: go to sleep " << insync << " " << inviewchange);
        recovery_cond.wait(ml);
    }
}

bool rsm::sync_with_backups(lock & rsm_mutex_lock) {
    rsm_mutex_lock.unlock();
    {
        // Make sure that the state of lock_server is stable during
        // synchronization; otherwise, the primary's state may be more recent
        // than replicas after the synchronization.
        lock invoke_mutex_lock(invoke_mutex);
        // By acquiring and releasing the invoke_mutex once, we make sure that
        // the state of lock_server will not be changed until all
        // replicas are synchronized. The reason is that client_invoke arrives
        // after this point of time will see inviewchange == true, and returns
        // BUSY.
    }
    rsm_mutex_lock.lock();
    // Start accepting synchronization request (statetransferreq) now!
    insync = true;
    cfg->get_view(vid_insync, backups);
    backups.erase(find(backups.begin(), backups.end(), cfg->myaddr()));
    LOG("backups " << backups);
    sync_cond.wait(rsm_mutex_lock);
    insync = false;
    return true;
}


bool rsm::sync_with_primary(lock & rsm_mutex_lock) {
    // Remember the primary of vid_insync
    string m = primary;
    while (vid_insync == vid_commit) {
        if (statetransfer(m, rsm_mutex_lock))
            break;
    }
    return statetransferdone(m, rsm_mutex_lock);
}


//
// Call to transfer state from m to the local node.
// Assumes that rsm_mutex is already held.
//
bool rsm::statetransfer(const string & m, lock & rsm_mutex_lock)
{
    rsm_protocol::transferres r;
    handle h(m);
    int ret = 0;
    LOG("contact " << m << " w. my last_myvs(" << last_myvs.vid << "," << last_myvs.seqno << ")");
    rpcc *cl;
    {
        rsm_mutex_lock.unlock();
        cl = h.safebind();
        if (cl) {
            ret = cl->call_timeout(rsm_protocol::transferreq, rpcc::to(1000),
                    r, cfg->myaddr(), last_myvs, vid_insync);
        }
        rsm_mutex_lock.lock();
    }
    if (cl == 0 || ret != rsm_protocol::OK) {
        LOG("couldn't reach " << m << " " << hex << cl << " " << dec << ret);
        return false;
    }
    if (stf && last_myvs != r.last) {
        stf->unmarshal_state(r.state);
    }
    last_myvs = r.last;
    LOG("transfer from " << m << " success, vs(" << last_myvs.vid << "," << last_myvs.seqno << ")");
    return true;
}

bool rsm::statetransferdone(const string & m, lock & rsm_mutex_lock) {
    rsm_mutex_lock.unlock();
    handle h(m);
    rpcc *cl = h.safebind();
    bool done = false;
    if (cl) {
        int r;
        auto ret = (rsm_protocol::status)cl->call(rsm_protocol::transferdonereq, r, cfg->myaddr(), vid_insync);
        done = (ret == rsm_protocol::OK);
    }
    rsm_mutex_lock.lock();
    return done;
}


bool rsm::join(const string & m, lock & rsm_mutex_lock) {
    handle h(m);
    int ret = 0;
    string log;

    LOG("contacting " << m << " mylast (" << last_myvs.vid << "," << last_myvs.seqno << ")");
    rpcc *cl;
    {
        rsm_mutex_lock.unlock();
        cl = h.safebind();
        if (cl != 0) {
            ret = cl->call_timeout(rsm_protocol::joinreq, rpcc::to(120000), log,
                    cfg->myaddr(), last_myvs);
        }
        rsm_mutex_lock.lock();
    }

    if (cl == 0 || ret != rsm_protocol::OK) {
        LOG("couldn't reach " << m << " " << hex << cl << " " << dec << ret);
        return false;
    }
    LOG("succeeded " << log);
    cfg->restore(log);
    return true;
}

//
// Config informs rsm whenever it has successfully
// completed a view change
//
void rsm::commit_change(unsigned vid) {
    lock ml(rsm_mutex);
    commit_change(vid, ml);
    if (cfg->ismember(cfg->myaddr(), vid_commit))
        breakpoint2();
}

void rsm::commit_change(unsigned vid, lock &) {
    if (vid <= vid_commit)
        return;
    LOG("commit_change: new view (" << vid << ") last vs (" << last_myvs.vid << "," <<
            last_myvs.seqno << ") " << primary << " insync " << insync);
    vid_commit = vid;
    inviewchange = true;
    set_primary(vid);
    recovery_cond.notify_one();
    sync_cond.notify_one();
    if (cfg->ismember(cfg->myaddr(), vid_commit))
        breakpoint2();
}


void rsm::execute(int procno, const string & req, string & r) {
    LOG("execute");
    handler *h = procs[procno];
    VERIFY(h);
    unmarshall args(req, false);
    marshall rep;
    auto ret = (rsm_protocol::status)(*h)(args, rep);
    r = marshall{ret, rep.content()}.content();
}

//
// Clients call client_invoke to invoke a procedure on the replicated state
// machine: the primary receives the request, assigns it a sequence
// number, and invokes it on all members of the replicated state
// machine.
//
rsm_client_protocol::status rsm::client_invoke(string & r, int procno, const string & req) {
    LOG("invoke procno 0x" << hex << procno);
    lock ml(invoke_mutex);
    vector<string> m;
    string myaddr;
    viewstamp vs;
    {
        lock ml2(rsm_mutex);
        LOG("Checking for inviewchange");
        if (inviewchange)
            return rsm_client_protocol::BUSY;
        LOG("Checking for primacy");
        myaddr = cfg->myaddr();
        if (primary != myaddr)
            return rsm_client_protocol::NOTPRIMARY;
        LOG("Assigning a viewstamp");
        cfg->get_view(vid_commit, m);
        // assign the RPC the next viewstamp number
        vs = myvs;
        myvs++;
    }

    // send an invoke RPC to all slaves in the current view with a timeout of 1 second
    LOG("Invoking slaves");
    for (unsigned i  = 0; i < m.size(); i++) {
        if (m[i] != myaddr) {
            // if invoke on slave fails, return rsm_client_protocol::BUSY
            handle h(m[i]);
            LOG("Sending invoke to " << m[i]);
            rpcc *cl = h.safebind();
            if (!cl)
                return rsm_client_protocol::BUSY;
            int ignored_rval;
            auto ret = (rsm_protocol::status)cl->call_timeout(rsm_protocol::invoke, rpcc::to(1000), ignored_rval, procno, vs, req);
            LOG("Invoke returned " << ret);
            if (ret != rsm_protocol::OK)
                return rsm_client_protocol::BUSY;
            breakpoint1();
            lock rsm_mutex_lock(rsm_mutex);
            partition1(rsm_mutex_lock);
        }
    }
    execute(procno, req, r);
    last_myvs = vs;
    return rsm_client_protocol::OK;
}

//
// The primary calls the internal invoke at each member of the
// replicated state machine
//
// the replica must execute requests in order (with no gaps)
// according to requests' seqno

rsm_protocol::status rsm::invoke(int &, int proc, viewstamp vs, const string & req) {
    LOG("invoke procno 0x" << hex << proc);
    lock ml(invoke_mutex);
    vector<string> m;
    string myaddr;
    {
        lock ml2(rsm_mutex);
        // check if !inviewchange
        LOG("Checking for view change");
        if (inviewchange)
            return rsm_protocol::ERR;
        // check if slave
        LOG("Checking for slave status");
        myaddr = cfg->myaddr();
        if (primary == myaddr)
            return rsm_protocol::ERR;
        cfg->get_view(vid_commit, m);
        if (find(m.begin(), m.end(), myaddr) == m.end())
            return rsm_protocol::ERR;
        // check sequence number
        LOG("Checking sequence number");
        if (vs != myvs)
            return rsm_protocol::ERR;
        myvs++;
    }
    string r;
    execute(proc, req, r);
    last_myvs = vs;
    breakpoint1();
    return rsm_protocol::OK;
}

//
// RPC handler: Send back the local node's state to the caller
//
rsm_protocol::status rsm::transferreq(rsm_protocol::transferres &r, const string & src,
        viewstamp last, unsigned vid) {
    lock ml(rsm_mutex);
    LOG("transferreq from " << src << " (" << last.vid << "," << last.seqno << ") vs (" <<
            last_myvs.vid << "," << last_myvs.seqno << ")");
    if (!insync || vid != vid_insync)
        return rsm_protocol::BUSY;
    if (stf && last != last_myvs)
        r.state = stf->marshal_state();
    r.last = last_myvs;
    return rsm_protocol::OK;
}

//
// RPC handler: Inform the local node (the primary) that node m has synchronized
// for view vid
//
rsm_protocol::status rsm::transferdonereq(int &, const string & m, unsigned vid) {
    lock ml(rsm_mutex);
    if (!insync || vid != vid_insync)
        return rsm_protocol::BUSY;
    backups.erase(find(backups.begin(), backups.end(), m));
    if (backups.empty())
        sync_cond.notify_one();
    return rsm_protocol::OK;
}

// a node that wants to join an RSM as a server sends a
// joinreq to the RSM's current primary; this is the
// handler for that RPC.
rsm_protocol::status rsm::joinreq(string & log, const string & m, viewstamp last) {
    auto ret = rsm_protocol::OK;

    lock ml(rsm_mutex);
    LOG("join request from " << m << "; last=(" << last.vid << "," << last.seqno << "), mylast=(" <<
            last_myvs.vid << "," << last_myvs.seqno << ")");
    if (cfg->ismember(m, vid_commit)) {
        LOG(m << " is still a member -- nothing to do");
        log = cfg->dump();
    } else if (cfg->myaddr() != primary) {
        LOG("but I, " << cfg->myaddr() << ", am not the primary, " << primary << "!");
        ret = rsm_protocol::BUSY;
    } else {
        // We cache vid_commit to avoid adding m to a view which already contains
        // m due to race condition
        LOG("calling down to config layer");
        unsigned vid_cache = vid_commit;
        bool succ;
        {
            ml.unlock();
            succ = cfg->add(m, vid_cache);
            ml.lock();
        }
        if (cfg->ismember(m, cfg->view_id())) {
            log = cfg->dump();
            LOG("ret " << ret << " log " << log);
        } else {
            LOG("failed; proposer couldn't add " << succ);
            ret = rsm_protocol::BUSY;
        }
    }
    return ret;
}

//
// RPC handler: Send back all the nodes this local knows about to client
// so the client can switch to a different primary
// when it existing primary fails
//
rsm_client_protocol::status rsm::client_members(vector<string> &r, int) {
    vector<string> m;
    lock ml(rsm_mutex);
    cfg->get_view(vid_commit, m);
    m.push_back(primary);
    r = m;
    LOG("return " << m << " m " << primary);
    return rsm_client_protocol::OK;
}

// if primary is member of new view, that node is primary
// otherwise, the lowest number node of the previous view.
// caller should hold rsm_mutex
void rsm::set_primary(unsigned vid) {
    vector<string> c, p;
    cfg->get_view(vid, c);
    cfg->get_view(vid - 1, p);
    VERIFY (c.size() > 0);

    if (isamember(primary,c)) {
        LOG("set_primary: primary stays " << primary);
        return;
    }

    VERIFY(p.size() > 0);
    for (unsigned i = 0; i < p.size(); i++) {
        if (isamember(p[i], c)) {
            primary = p[i];
            LOG("set_primary: primary is " << primary);
            return;
        }
    }
    VERIFY(0);
}

bool rsm::amiprimary() {
    lock ml(rsm_mutex);
    return primary == cfg->myaddr() && !inviewchange;
}


// Testing server

// Simulate partitions

// assumes caller holds rsm_mutex
void rsm::net_repair(bool heal, lock &) {
    vector<string> m;
    cfg->get_view(vid_commit, m);
    for (unsigned i  = 0; i < m.size(); i++) {
        if (m[i] != cfg->myaddr()) {
            handle h(m[i]);
            LOG("member " << m[i] << " " << heal);
            if (h.safebind()) h.safebind()->set_reachable(heal);
        }
    }
    rsmrpc->set_reachable(heal);
}

rsm_test_protocol::status rsm::test_net_repairreq(rsm_test_protocol::status &r, int heal) {
    lock ml(rsm_mutex);
    LOG("heal " << heal << " (dopartition " <<
            dopartition << ", partitioned " << partitioned << ")");
    if (heal) {
        net_repair(heal, ml);
        partitioned = false;
    } else {
        dopartition = true;
        partitioned = false;
    }
    r = rsm_test_protocol::OK;
    return r;
}

// simulate failure at breakpoint 1 and 2

void rsm::breakpoint1() {
    if (break1) {
        LOG("Dying at breakpoint 1 in rsm!");
        exit(1);
    }
}

void rsm::breakpoint2() {
    if (break2) {
        LOG("Dying at breakpoint 2 in rsm!");
        exit(1);
    }
}

void rsm::partition1(lock & rsm_mutex_lock) {
    if (dopartition) {
        net_repair(false, rsm_mutex_lock);
        dopartition = false;
        partitioned = true;
    }
}

rsm_test_protocol::status rsm::breakpointreq(rsm_test_protocol::status &r, int b) {
    r = rsm_test_protocol::OK;
    lock ml(rsm_mutex);
    LOG("breakpoint " << b);
    if (b == 1) break1 = true;
    else if (b == 2) break2 = true;
    else if (b == 3 || b == 4) cfg->breakpoint(b);
    else r = rsm_test_protocol::ERR;
    return r;
}