Rolled handle infrastructure into rpcc.

[invirt/third/libt4.git] / rsm.cc

//
// Replicated state machine implementation with a primary and several
// backups. The primary receives requests, assigns each a view stamp (a
// vid, and a sequence number) in the order of reception, and forwards
// them to all backups. A backup executes requests in the order that
// the primary stamps them and replies with an OK to the primary. The
// primary executes the request after it receives OKs from all backups,
// and sends the reply back to the client.
//
// The config module will tell the RSM about a new view. If the
// primary in the previous view is a member of the new view, then it
// will stay the primary.  Otherwise, the smallest numbered node of
// the previous view will be the new primary.  In either case, the new
// primary will be a node from the previous view.  The configuration
// module constructs the sequence of views for the RSM and the RSM
// ensures there will be always one primary, who was a member of the
// last view.
//
// When a new node starts, the recovery thread is in charge of joining
// the RSM.  It will collect the internal RSM state from the primary;
// the primary asks the config module to add the new node and returns
// to the joining the internal RSM state (e.g., paxos log). Since
// there is only one primary, all joins happen in well-defined total
// order.
//
// The recovery thread also runs during a view change (e.g, when a node
// has failed).  After a failure some of the backups could have
// processed a request that the primary has not, but those results are
// not visible to clients (since the primary responds).  If the
// primary of the previous view is in the current view, then it will
// be the primary and its state is authoritive: the backups download
// from the primary the current state.  A primary waits until all
// backups have downloaded the state.  Once the RSM is in sync, the
// primary accepts requests again from clients.  If one of the backups
// is the new primary, then its state is authoritative.  In either
// scenario, the next view uses a node as primary that has the state
// resulting from processing all acknowledged client requests.
// Therefore, if the nodes sync up before processing the next request,
// the next view will have the correct state.
//
// While the RSM in a view change (i.e., a node has failed, a new view
// has been formed, but the sync hasn't completed), another failure
// could happen, which complicates a view change.  During syncing the
// primary or backups can timeout, and initiate another Paxos round.
// There are 2 variables that RSM uses to keep track in what state it
// is:
//    - inviewchange: a node has failed and the RSM is performing a view change
//    - insync: this node is syncing its state
//
// If inviewchange is false and a node is the primary, then it can
// process client requests. If it is true, clients are told to retry
// later again.  While inviewchange is true, the RSM may go through several
// member list changes, one by one.   After a member list
// change completes, the nodes tries to sync. If the sync complets,
// the view change completes (and inviewchange is set to false).  If
// the sync fails, the node may start another member list change
// (inviewchange = true and insync = false).
//
// The implementation should be used only with servers that run all
// requests run to completion; in particular, a request shouldn't
// block.  If a request blocks, the backup won't respond to the
// primary, and the primary won't execute the request.  A request may
// send an RPC to another host, but the RPC should be a one-way
// message to that host; the backup shouldn't do anything based on the
// response or execute after the response, because it is not
// guaranteed that all backup will receive the same response and
// execute in the same order.
//
// The implementation can be viewed as a layered system:
//       RSM module     ---- in charge of replication
//       config module  ---- in charge of view management
//       Paxos module   ---- in charge of running Paxos to agree on a value
//
// Each module has threads and internal locks. Furthermore, a thread
// may call down through the layers (e.g., to run Paxos's proposer).
// When Paxos's acceptor accepts a new value for an instance, a thread
// will invoke an upcall to inform higher layers of the new value.
// The rule is that a module releases its internal locks before it
// upcalls, but can keep its locks when calling down.

#include "rsm.h"
#include "rsm_client.h"
#include <unistd.h>

using std::vector;

rsm_state_transfer::~rsm_state_transfer() {}

rsm::rsm(const string & _first, const string & _me) : primary(_first)
{
    cfg = unique_ptr<config>(new config(_first, _me, this));

    if (_first == _me) {
        // Commit the first view here. We can not have acceptor::acceptor
        // do the commit, since at that time this->cfg is not initialized
        commit_change(1);
    }
    rsmrpc = cfg->get_rpcs();
    rsmrpc->reg(rsm_client_protocol::invoke, &rsm::client_invoke, this);
    rsmrpc->reg(rsm_client_protocol::members, &rsm::client_members, this);
    rsmrpc->reg(rsm_protocol::invoke, &rsm::invoke, this);
    rsmrpc->reg(rsm_protocol::transferreq, &rsm::transferreq, this);
    rsmrpc->reg(rsm_protocol::transferdonereq, &rsm::transferdonereq, this);
    rsmrpc->reg(rsm_protocol::joinreq, &rsm::joinreq, this);

    // tester must be on different port, otherwise it may partition itself
    testsvr.reset(new rpcs((in_port_t)std::stoi(_me) + 1));
    testsvr->reg(rsm_test_protocol::net_repair, &rsm::test_net_repairreq, this);
    testsvr->reg(rsm_test_protocol::breakpoint, &rsm::breakpointreq, this);
}

void rsm::start() {
    lock ml(rsm_mutex);
    rsmrpc->start();
    testsvr->start();
    thread(&rsm::recovery, this).detach();
}

// The recovery thread runs this function
void rsm::recovery() {
    bool r = true;
    lock ml(rsm_mutex);

    while (1) {
        while (!cfg->ismember(cfg->myaddr(), vid_commit)) {
            // XXX iannucci 2013/09/15 -- I don't understand whether accessing
            // cfg->view_id in this manner involves a race.  I suspect not.
            if (join(primary, ml)) {
                LOG << "joined";
                commit_change(cfg->view_id(), ml);
            } else {
                ml.unlock();
                std::this_thread::sleep_for(milliseconds(3000)); // XXX make another node in cfg primary?
                ml.lock();
            }
        }
        vid_insync = vid_commit;
        LOG << "sync vid_insync " << vid_insync;
        if (primary == cfg->myaddr()) {
            r = sync_with_backups(ml);
        } else {
            r = sync_with_primary(ml);
        }
        LOG << "sync done";

        // If there was a commited viewchange during the synchronization, restart
        // the recovery
        if (vid_insync != vid_commit)
            continue;

        if (r) {
            myvs.vid = vid_commit;
            myvs.seqno = 1;
            inviewchange = false;
        }
        LOG << "go to sleep " << insync << " " << inviewchange;
        recovery_cond.wait(ml);
    }
}

bool rsm::sync_with_backups(lock & rsm_mutex_lock) {
    rsm_mutex_lock.unlock();
    {
        // Make sure that the state of lock_server is stable during
        // synchronization; otherwise, the primary's state may be more recent
        // than replicas after the synchronization.
        lock invoke_mutex_lock(invoke_mutex);
        // By acquiring and releasing the invoke_mutex once, we make sure that
        // the state of lock_server will not be changed until all
        // replicas are synchronized. The reason is that client_invoke arrives
        // after this point of time will see inviewchange == true, and returns
        // BUSY.
    }
    rsm_mutex_lock.lock();
    // Start accepting synchronization request (statetransferreq) now!
    insync = true;
    cfg->get_view(vid_insync, backups);
    backups.erase(std::find(backups.begin(), backups.end(), cfg->myaddr()));
    LOG << "backups " << backups;
    sync_cond.wait(rsm_mutex_lock);
    insync = false;
    return true;
}


bool rsm::sync_with_primary(lock & rsm_mutex_lock) {
    // Remember the primary of vid_insync
    string m = primary;
    while (vid_insync == vid_commit) {
        if (statetransfer(m, rsm_mutex_lock))
            break;
    }
    return statetransferdone(m, rsm_mutex_lock);
}


//
// Call to transfer state from m to the local node.
// Assumes that rsm_mutex is already held.
//
bool rsm::statetransfer(const string & m, lock & rsm_mutex_lock)
{
    rsm_protocol::transferres r;
    int ret = 0;
    LOG << "contact " << m << " w. my last_myvs(" << last_myvs.vid << "," << last_myvs.seqno << ")";
    shared_ptr<rpcc> cl;
    {
        rsm_mutex_lock.unlock();
        cl = rpcc::bind_cached(m);
        if (cl) {
            ret = cl->call_timeout(rsm_protocol::transferreq, milliseconds(100),
                    r, cfg->myaddr(), last_myvs, vid_insync);
        }
        rsm_mutex_lock.lock();
    }
    if (cl == 0 || ret != rsm_protocol::OK) {
        LOG << "couldn't reach " << m << " " << std::hex << cl << " " << std::dec << ret;
        return false;
    }
    if (stf && last_myvs != r.last) {
        stf->unmarshal_state(r.state);
    }
    last_myvs = r.last;
    LOG << "transfer from " << m << " success, vs(" << last_myvs.vid << "," << last_myvs.seqno << ")";
    return true;
}

bool rsm::statetransferdone(const string & m, lock & rsm_mutex_lock) {
    rsm_mutex_lock.unlock();
    bool done = false;
    if (auto cl = rpcc::bind_cached(m)) {
        int r;
        auto ret = (rsm_protocol::status)cl->call(rsm_protocol::transferdonereq, r, cfg->myaddr(), vid_insync);
        done = (ret == rsm_protocol::OK);
    }
    rsm_mutex_lock.lock();
    return done;
}


bool rsm::join(const string & m, lock & rsm_mutex_lock) {
    int ret = 0;
    string log;

    LOG << "contacting " << m << " mylast (" << last_myvs.vid << "," << last_myvs.seqno << ")";

    rsm_mutex_lock.unlock();
    auto cl = rpcc::bind_cached(m);
    if (cl)
        ret = cl->call_timeout(rsm_protocol::joinreq, milliseconds(12000), log, cfg->myaddr(), last_myvs);
    rsm_mutex_lock.lock();

    if (cl == 0 || ret != rsm_protocol::OK) {
        LOG << "couldn't reach " << m << " " << std::hex << cl << " " << std::dec << ret;
        return false;
    }
    LOG << "succeeded " << log;
    cfg->restore(log);
    return true;
}

//
// Config informs rsm whenever it has successfully
// completed a view change
//
void rsm::commit_change(unsigned vid) {
    lock ml(rsm_mutex);
    commit_change(vid, ml);
    if (cfg->ismember(cfg->myaddr(), vid_commit))
        breakpoint(2);
}

void rsm::commit_change(unsigned vid, lock &) {
    if (vid <= vid_commit)
        return;
    LOG << "new view (" << vid << ") last vs (" << last_myvs.vid << ","
        << last_myvs.seqno << ") " << primary << " insync " << insync;
    vid_commit = vid;
    inviewchange = true;
    set_primary(vid);
    recovery_cond.notify_one();
    sync_cond.notify_one();
    if (cfg->ismember(cfg->myaddr(), vid_commit))
        breakpoint(2);
}


void rsm::execute(rpc_protocol::proc_id_t procno, const string & req, string & r) {
    LOG << "execute";
    handler *h = procs[procno];
    VERIFY(h);
    marshall rep;
    auto ret = (rsm_protocol::status)(*h)(unmarshall(req, false), rep);
    r = marshall(ret, rep.content()).content();
}

static void logHexString(locked_ostream && log, const string & s) {
    log << std::setfill('0') << std::setw(2) << std::hex;
    for (size_t i=0; i<s.size(); i++)
        log << (unsigned int)(unsigned char)s[i];
}

//
// Clients call client_invoke to invoke a procedure on the replicated state
// machine: the primary receives the request, assigns it a sequence
// number, and invokes it on all members of the replicated state
// machine.
//
rsm_client_protocol::status rsm::client_invoke(string & r, rpc_protocol::proc_id_t procno, const string & req) {
    LOG << "invoke procno 0x" << std::hex << procno;
    lock ml(invoke_mutex);
    vector<string> m;
    string myaddr;
    viewstamp vs;
    {
        lock ml2(rsm_mutex);
        LOG << "Checking for inviewchange";
        if (inviewchange)
            return rsm_client_protocol::BUSY;
        LOG << "Checking for primacy";
        myaddr = cfg->myaddr();
        if (primary != myaddr)
            return rsm_client_protocol::NOTPRIMARY;
        LOG << "Assigning a viewstamp";
        cfg->get_view(vid_commit, m);
        // assign the RPC the next viewstamp number
        vs = myvs;
        myvs++;
    }

    // send an invoke RPC to all slaves in the current view with a timeout of 1 second
    LOG << "Invoking slaves";
    for (unsigned i  = 0; i < m.size(); i++) {
        if (m[i] != myaddr) {
            // if invoke on slave fails, return rsm_client_protocol::BUSY
            LOG << "Sending invoke to " << m[i];
            auto cl = rpcc::bind_cached(m[i]);
            if (!cl)
                return rsm_client_protocol::BUSY;
            int ignored_rval;
            auto ret = (rsm_protocol::status)cl->call_timeout(rsm_protocol::invoke, milliseconds(100), ignored_rval, procno, vs, req);
            LOG << "Invoke returned " << ret;
            if (ret != rsm_protocol::OK)
                return rsm_client_protocol::BUSY;
            breakpoint(1);
            lock rsm_mutex_lock(rsm_mutex);
            partition1(rsm_mutex_lock);
        }
    }
    logHexString(LOG, req);
    execute(procno, req, r);
    logHexString(LOG, r);
    last_myvs = vs;
    return rsm_client_protocol::OK;
}

//
// The primary calls the internal invoke at each member of the
// replicated state machine
//
// the replica must execute requests in order (with no gaps)
// according to requests' seqno

rsm_protocol::status rsm::invoke(int &, rpc_protocol::proc_id_t proc, viewstamp vs, const string & req) {
    LOG << "invoke procno 0x" << std::hex << proc;
    lock ml(invoke_mutex);
    vector<string> m;
    string myaddr;
    {
        lock ml2(rsm_mutex);
        // check if !inviewchange
        LOG << "Checking for view change";
        if (inviewchange)
            return rsm_protocol::ERR;
        // check if slave
        LOG << "Checking for slave status";
        myaddr = cfg->myaddr();
        if (primary == myaddr)
            return rsm_protocol::ERR;
        cfg->get_view(vid_commit, m);
        if (std::find(m.begin(), m.end(), myaddr) == m.end())
            return rsm_protocol::ERR;
        // check sequence number
        LOG << "Checking sequence number";
        if (vs != myvs)
            return rsm_protocol::ERR;
        myvs++;
    }
    string r;
    execute(proc, req, r);
    last_myvs = vs;
    breakpoint(1);
    return rsm_protocol::OK;
}

//
// RPC handler: Send back the local node's state to the caller
//
rsm_protocol::status rsm::transferreq(rsm_protocol::transferres & r, const string & src,
        viewstamp last, unsigned vid) {
    lock ml(rsm_mutex);
    LOG << "transferreq from " << src << " (" << last.vid << "," << last.seqno << ") vs ("
        << last_myvs.vid << "," << last_myvs.seqno << ")";
    if (!insync || vid != vid_insync)
        return rsm_protocol::BUSY;
    if (stf && last != last_myvs)
        r.state = stf->marshal_state();
    r.last = last_myvs;
    return rsm_protocol::OK;
}

//
// RPC handler: Inform the local node (the primary) that node m has synchronized
// for view vid
//
rsm_protocol::status rsm::transferdonereq(int &, const string & m, unsigned vid) {
    lock ml(rsm_mutex);
    if (!insync || vid != vid_insync)
        return rsm_protocol::BUSY;
    backups.erase(std::find(backups.begin(), backups.end(), m));
    if (backups.empty())
        sync_cond.notify_one();
    return rsm_protocol::OK;
}

// a node that wants to join an RSM as a server sends a
// joinreq to the RSM's current primary; this is the
// handler for that RPC.
rsm_protocol::status rsm::joinreq(string & log, const string & m, viewstamp last) {
    auto ret = rsm_protocol::OK;

    lock ml(rsm_mutex);
    LOG << "join request from " << m << "; last=(" << last.vid << "," << last.seqno << "), mylast=("
        << last_myvs.vid << "," << last_myvs.seqno << ")";
    if (cfg->ismember(m, vid_commit)) {
        LOG << m << " is still a member -- nothing to do";
        log = cfg->dump();
    } else if (cfg->myaddr() != primary) {
        LOG << "but I, " << cfg->myaddr() << ", am not the primary, " << primary << "!";
        ret = rsm_protocol::BUSY;
    } else {
        // We cache vid_commit to avoid adding m to a view which already contains
        // m due to race condition
        LOG << "calling down to config layer";
        unsigned vid_cache = vid_commit;
        bool succ;
        {
            ml.unlock();
            succ = cfg->add(m, vid_cache);
            ml.lock();
        }
        if (cfg->ismember(m, cfg->view_id())) {
            log = cfg->dump();
            LOG << "ret " << ret << " log " << log;
        } else {
            LOG << "failed; proposer couldn't add " << succ;
            ret = rsm_protocol::BUSY;
        }
    }
    return ret;
}

//
// RPC handler: Responds with the list of known nodes for fall-back on a
// primary failure
//
rsm_client_protocol::status rsm::client_members(vector<string> & r, int) {
    vector<string> m;
    lock ml(rsm_mutex);
    cfg->get_view(vid_commit, m);
    m.push_back(primary);
    r = m;
    LOG << "return " << m << " m " << primary;
    return rsm_client_protocol::OK;
}

// if primary is member of new view, that node is primary
// otherwise, the lowest number node of the previous view.
// caller should hold rsm_mutex
void rsm::set_primary(unsigned vid) {
    vector<string> c, p;
    cfg->get_view(vid, c);
    cfg->get_view(vid - 1, p);
    VERIFY (c.size() > 0);

    if (isamember(primary,c)) {
        LOG << "primary stays " << primary;
        return;
    }

    VERIFY(p.size() > 0);
    for (unsigned i = 0; i < p.size(); i++) {
        if (isamember(p[i], c)) {
            primary = p[i];
            LOG << "primary is " << primary;
            return;
        }
    }
    VERIFY(0);
}

bool rsm::amiprimary() {
    lock ml(rsm_mutex);
    return primary == cfg->myaddr() && !inviewchange;
}


// Test RPCs -- simulate partitions and failures

void rsm::net_repair(bool heal, lock & rsm_mutex_lock) {
    VERIFY(rsm_mutex_lock);
    vector<string> m;
    cfg->get_view(vid_commit, m);
    for (unsigned i  = 0; i < m.size(); i++) {
        if (m[i] != cfg->myaddr()) {
            LOG << "member " << m[i] << " " << heal;
            if (auto cl = rpcc::bind_cached(m[i]))
                cl->set_reachable(heal);
        }
    }
    rsmrpc->set_reachable(heal);
}

rsm_test_protocol::status rsm::test_net_repairreq(rsm_test_protocol::status & r, int heal) {
    lock ml(rsm_mutex);
    LOG << "heal " << heal << " (dopartition "
        << dopartition << ", partitioned " << partitioned << ")";
    if (heal)
        net_repair(heal, ml);
    else
        dopartition = true;
    partitioned = false;
    return r = rsm_test_protocol::OK;
}

// simulate failure at breakpoint 1 and 2

void rsm::breakpoint(int b) {
    if (breakpoints[b-1]) {
        LOG << "Dying at breakpoint " << b << " in rsm!";
        exit(1);
    }
}

void rsm::partition1(lock & rsm_mutex_lock) {
    if (dopartition) {
        net_repair(false, rsm_mutex_lock);
        dopartition = false;
        partitioned = true;
    }
}

rsm_test_protocol::status rsm::breakpointreq(rsm_test_protocol::status & r, int b) {
    r = rsm_test_protocol::OK;
    lock ml(rsm_mutex);
    LOG << "breakpoint " << b;
    if (b == 1) breakpoints[1-1] = true;
    else if (b == 2) breakpoints[2-1] = true;
    else if (b == 3 || b == 4) cfg->breakpoint(b);
    else r = rsm_test_protocol::ERR;
    return r;
}