DRIVERS-1707: Preemptively cancel in progress operations when SDAM heartbeats timeout.

[DmitryLukyanov]

DRIVERS-1707

[DmitryLukyanov]

Optional with default false?

[BorisDog]

I think closeInUseConnections can be optional, especially for drivers without background thread.
@patrickfreed what do you think?

[patrickfreed]

I agree this should default to false and SDAM should require that it only be used in the event of network timeouts. Definitely want to document the default here.

Regarding the API of whether it's optional or not, that's more up to individual driver implementations. I don't think this should be optional functionality, if that's what you were asking though.

[DmitryLukyanov]

done

[DmitryLukyanov]

not sure whether this step is necessary? It looks like minPoolSize can be handled as before even though they will be available only after pool will become ready

[BorisDog]

1. Maybe "In this case, A pool MAY skip populating connections." can be omitted, as it's part of pausable behaviour: "Connections are not created in the background to satisfy minPoolSize"
2. "force run next maintenance iteration" ==> "Schedule the next Background Thread Run to run as soon as possible" or similar

[DmitryLukyanov]

done

[DmitryLukyanov]

this link doesn't work, will fix it in the next commit

[patrickfreed]

does this link work now?

[DmitryLukyanov]

yep

[DmitryLukyanov]

Should Closing a Connection Pool section also be updated to manually close in use connections too?

[ShaneHarvey]

Since we only want to cancel in progress operations when an SDAM heartbeat fails with a time out (and not for other errors that clear the pool), I think this PR needs to change the SDAM spec as well.

Edit: I now see that this PR already updates the SDAM spec.

[ShaneHarvey]

isNetworkError -> isNetworkTimeout

isNetworkTimeout is also used in source/server-discovery-and-monitoring/server-discovery-and-monitoring.rst

[DmitryLukyanov]

done

[BorisDog]

Probably "a pool SHOULD force the next maintenance step..." needs to be clarified. Does this mean that the next step should be scheduled to run as soon as possible?
Maybe something like: The next Background Thread Run SHOULD be scheduled as soon as possible. Next pruning iteration MUST close "in use" perished connections if requested by closeInUseConnections flag...

[DmitryLukyanov]

done

[BorisDog]

Maybe we should omit the last "requested by closeInUseConnections flag." part? As it might be interpreted as scheduling the next run sooner will be done only in closeInUseConnections:true case.

[patrickfreed]

If we do that, can we bump it to its own paragraph below this one? That way the closeInUseConnections and background thread scheduling parts will be in separate paragraphs.

[BorisDog]

I did not notice the
A pool SHOULD allow immediate scheduling of the next background thread iteration after a clear is performed. sentence. I am fine with current wording.

nit: remove the dot from connections.requested

[DmitryLukyanov]

done

[BorisDog]

1. Maybe "In this case, A pool MAY skip populating connections." can be omitted, as it's part of pausable behaviour: "Connections are not created in the background to satisfy minPoolSize"
2. "force run next maintenance iteration" ==> "Schedule the next Background Thread Run to run as soon as possible" or similar

[BorisDog]

I think closeInUseConnections can be optional, especially for drivers without background thread.
@patrickfreed what do you think?

[patrickfreed]

I agree this should default to false and SDAM should require that it only be used in the event of network timeouts. Definitely want to document the default here.

Regarding the API of whether it's optional or not, that's more up to individual driver implementations. I don't think this should be optional functionality, if that's what you were asking though.

[patrickfreed]

does this link work now?

[BorisDog]

I am wondering whether we should clarify that only in-use connections removal should be limited up to the generation at the moment of clear. To prevent the following scheduling (steps 3-5 happen fast):

1. pool.ready() (gen1)
2. pool.clear(inUser:true) (gen2)
3. pool.ready() (gen2)
4. pool.clear(inUse:false) (gen3)
5. pool.ready() (gen3)
6. prune runs and closes inUse with gen <= gen2 (the correct behaviour is gen <= gen1

cc @patrickfreed

[patrickfreed]

Yeah this is a really good point. Maybe add the following line:

The pool MUST only close in use connections whose generation is less than or equal to the generation of the pool at the moment of the clear (before the increment) that used the closeInUseConnections flag.

Unfortunately, I don't think there's a non-racy way to unit test this that I can think of.

[DmitryLukyanov]

done

[BorisDog]

I did not notice the
A pool SHOULD allow immediate scheduling of the next background thread iteration after a clear is performed. sentence. I am fine with current wording.

nit: remove the dot from connections.requested

[DmitryLukyanov]

it looks like this test is a bit flaky. Since previous runOnThread ensures that thread is started, but not that underlying operation has actually been launched. So there was a chance that failpoint is triggered before find is started

[ShaneHarvey]

So there was a chance that failpoint is triggered before find is started

Would increasing "times" from 2 to 4 help here?

[patrickfreed]

The failpoint being triggered before the find has started should be okay, so long as the monitor check doesn't time out before the find begins. In the quickest case, the monitor can take 1000ms to time out after the failpoint is enabled (a check happens to start immediately after the failpoint is enabled), and the find should certainly take less than 1000ms to begin executing, considering the pool has already been populated with a connection. If we wait for the find to start before enabling the failpoint, we instead are concerned with the find completing before the monitor times out (in longest case, monitor could take 1500ms after the failpoint is enabled to time out, which should still be okay assuming it takes less than 500ms to enable the failpoint).

Can you elaborate more on the events you were seeing when it was failing?

Would increasing "times" from 2 to 4 help here?

This could possibly be the cause, though I imagine it would be pretty rare. If the RTT monitor hits the failpoint, times out, and then hits it again, it could prevent the server monitor from ever triggering it if the monitor happened to start a check right before the failpoint was enabled.

[DmitryLukyanov]

Can you elaborate more on the events you were seeing when it was failing?

I see than in some rare cases no error happens at all

[patrickfreed]

In that case, @ShaneHarvey's suggestion of upping to times: 4 may help. Did you see any difference after adding the waitForEvent?

[DmitryLukyanov]

Would increasing "times" from 2 to 4 help here?

yep, it works too, done

[patrickfreed]

Test looks good, but the comment explaining why we're using 4 seems inaccurate. As I alluded to above, there shouldn't be any problem if a heartbeat triggers the failpoint before the find starts, so long as the heartbeat doesn't time out before the find starts. I'd suggest rewording the comment to something more simple like the following (borrowed from the SDAM tests):

# Use "times: 4" to increase the probability that the Monitor check triggers
# the failpoint, since the RTT hello may trigger this failpoint one or many 
# times as well.

[DmitryLukyanov]

done

[patrickfreed]

The failpoint being triggered before the find has started should be okay, so long as the monitor check doesn't time out before the find begins. In the quickest case, the monitor can take 1000ms to time out after the failpoint is enabled (a check happens to start immediately after the failpoint is enabled), and the find should certainly take less than 1000ms to begin executing, considering the pool has already been populated with a connection. If we wait for the find to start before enabling the failpoint, we instead are concerned with the find completing before the monitor times out (in longest case, monitor could take 1500ms after the failpoint is enabled to time out, which should still be okay assuming it takes less than 500ms to enable the failpoint).

Can you elaborate more on the events you were seeing when it was failing?

Would increasing "times" from 2 to 4 help here?

This could possibly be the cause, though I imagine it would be pretty rare. If the RTT monitor hits the failpoint, times out, and then hits it again, it could prevent the server monitor from ever triggering it if the monitor happened to start a check right before the failpoint was enabled.

[patrickfreed]

Content looks good! One last test comment suggestion but otherwise LGTM

[patrickfreed]

Test looks good, but the comment explaining why we're using 4 seems inaccurate. As I alluded to above, there shouldn't be any problem if a heartbeat triggers the failpoint before the find starts, so long as the heartbeat doesn't time out before the find starts. I'd suggest rewording the comment to something more simple like the following (borrowed from the SDAM tests):

# Use "times: 4" to increase the probability that the Monitor check triggers
# the failpoint, since the RTT hello may trigger this failpoint one or many 
# times as well.

[patrickfreed]

Noticed a SHOULD/MUST mistmatch, but otherwise all looks good to me.

[patrickfreed]

LGTM!

[ShaneHarvey]

Noticed one formatting issue. Otherwise LGTM

[BorisDog]

LGTM (minor comment)

[BorisDog]

minor: the tilde and the previous line should have the same length?

[DmitryLukyanov]

done