bigserial continuity safety

On Mon, Apr 13, 2015 at 3:05 PM, Pawel Veselov <pawel.veselov@gmail.com>
wrote:

Hi.

If I have a table created as:

CREATE TABLE xq_agr (
id BIGSERIAL PRIMARY KEY,
node text not null
);

and that multiple applications insert into. The applications never
explicitly specify the value for 'id'.
Is it safe to, on a single connection, do:

- open transaction (default transaction isolation)
- Open cursor for select * from xq_agr order by id asc
- do something with current record
- advance the cursor (and repeat something), but stop at some point (id =
LAST_ID), and
- delete from xq_agr where id <= LAST_ID;
- commit

"safe to" means - whether the cursor will not miss any records that were
deleted at the end.

I'm suspecting that depending on the commit order, I may have situations
when:
- TX1 insert ID 1
- TX2 insert ID 2
- TX2 commits
- TX3 scans 2
- TX1 commits
- TX3 deletes <= 2
- record ID1 is deleted, but never processed.

​Going to ignore the MVC question for the moment and describe a better
"state transition mechanism" to consider.

pending -> active -> completed

If you ensure you never delete (i.e., transition to completed) something
that isn't active then you can never delete an item in pending.

​Limit the locking to the state transitions only.

The downside is the need to deal with "active" items that have been
abandoned by whatever process marked them active.

Back to your question: you should probably not use "<=" in your where
clause. However, in READ COMMITTED TX3 cannot see ID1 since the snapshot
it took out was created before TX1 committed. I am not fluent enough to
work through the entire scenario in my head. I'd suggest you actually open
up 3 psql sessions and play with them to see how things really behave.

For me, a simply "SELECT FOR UPDATE / UPDATE WHERE" command in a function
solves the problem as small scale with minimal performance degradation.
The transition from "pending" to "active" is effectively serialized and the
transition from "active" to "completed" only occurs when the process has
been performed and it is not possible to have two client simultaneously
processing the same work.

David J.

On 4/13/15 7:45 PM, David G. Johnston wrote:

On Mon, Apr 13, 2015 at 3:05 PM, Pawel Veselov <pawel.veselov@gmail.com
<mailto:pawel.veselov@gmail.com>>wrote:

Hi.

If I have a table created as:

CREATE TABLE xq_agr (
id BIGSERIAL PRIMARY KEY,
node text not null
);

and that multiple applications insert into. The applications never
explicitly specify the value for 'id'.
Is it safe to, on a single connection, do:

- open transaction (default transaction isolation)
- Open cursor for select * from xq_agr order by id asc
- do something with current record
- advance the cursor (and repeat something), but stop at some point
(id = LAST_ID), and
- delete from xq_agr where id <= LAST_ID;
- commit

"safe to" means - whether the cursor will not miss any records that
were deleted at the end.

I'm suspecting that depending on the commit order, I may have
situations when:
- TX1 insert ID 1
- TX2 insert ID 2
- TX2 commits
- TX3 scans 2
- TX1 commits
- TX3 deletes <= 2
- record ID1 is deleted, but never processed.

​Going to ignore the MVC question for the moment and describe a better
"state transition mechanism" to consider.

pending -> active -> completed

If you ensure you never delete (i.e., transition to completed) something
that isn't active then you can never delete an item in pending.

​Limit the locking to the state transitions only.

The downside is the need to deal with "active" items that have been
abandoned by whatever process marked them active.

Another option is DELETE RETURNING. Instead of an initial SELECT to find
records to work on, you would do DELETE FROM WHERE RETURNING * and deal
with those records. I don't know if that's safe with a cursor though; I
believe the DELETE fully materializes before records start coming back.
So you need to handle all the rows from the SELECT or abort.

Back to your question: you should probably not use "<=" in your where
clause. However, in READ COMMITTED TX3 cannot see ID1 since the
snapshot it took out was created before TX1 committed. I am not fluent

Actually, that's not necessarily true. It depends when TX3 actually
takes it's snapshot, which is NOT when it runs BEGIN. I believe there's
other problems you'd run into as well. Basically, READ COMMITTED does
nothing to protect you from "phantom reads".

REPEATABLE READ should protect you from phantom reads, but it won't help
you if someone changes the data. If you're going to try and go this
route, SERIALIZABLE is your best bet.

enough to work through the entire scenario in my head. I'd suggest you
actually open up 3 psql sessions and play with them to see how things
really behave.

That's really not safe enough. There's just too many different race
conditions you can encounter, and I'd bet that you couldn't even
reproduce some of them from a client.

For me, a simply "SELECT FOR UPDATE / UPDATE WHERE" command in a
function solves the problem as small scale with minimal performance
degradation. The transition from "pending" to "active" is effectively
serialized and the transition from "active" to "completed" only occurs
when the process has been performed and it is not possible to have two
client simultaneously processing the same work.

Note that that isn't safe from repeatable reads. What you're describing
is only safe if the WHERE clause on the update is guaranteed to always
find only one row (ie, in this example, by using xq_agr.id = something).
Anything other than that is asking for trouble.

BTW, since it looks like you're just looking for a queue, you should
take a look at PgQ (https://wiki.postgresql.org/wiki/PGQ_Tutorial). It
uses something more efficient than bulk deletes to handle it's queue,
and you can set it up so it will handle a large amount of queued items
rather well (increase the number of tables). The one downside you may
run into is you MUST consume every event in a single batch. There used
to be support for the concept of "retrying" an event, but that may have
been removed. It would be safe for you to put failed events into a
second queue.
--
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On Mon, Apr 13, 2015 at 7:01 PM, Jim Nasby <Jim.Nasby@bluetreble.com> wrote:

On 4/13/15 7:45 PM, David G. Johnston wrote:

On Mon, Apr 13, 2015 at 3:05 PM, Pawel Veselov <pawel.veselov@gmail.com
<mailto:pawel.veselov@gmail.com>>wrote:

Hi.

If I have a table created as:

CREATE TABLE xq_agr (
id BIGSERIAL PRIMARY KEY,
node text not null
);

and that multiple applications insert into. The applications never
explicitly specify the value for 'id'.
Is it safe to, on a single connection, do:

- open transaction (default transaction isolation)
- Open cursor for select * from xq_agr order by id asc
- do something with current record
- advance the cursor (and repeat something), but stop at some point
(id = LAST_ID), and
- delete from xq_agr where id <= LAST_ID;
- commit

"safe to" means - whether the cursor will not miss any records that
were deleted at the end.

I'm suspecting that depending on the commit order, I may have
situations when:
- TX1 insert ID 1
- TX2 insert ID 2
​​
- TX2 commits
- TX3 scans 2
- TX1 commits
- TX3 deletes <= 2
- record ID1 is deleted, but never processed.

​Going to ignore the MVC question for the moment and describe a better
"state transition mechanism" to consider.

pending -> active -> completed

If you ensure you never delete (i.e., transition to completed) something
that isn't active then you can never delete an item in pending.

​Limit the locking to the state transitions only.

The downside is the need to deal with "active" items that have been
abandoned by whatever process marked them active.

Another option is DELETE RETURNING. Instead of an initial SELECT to find
records to work on, you would do DELETE FROM WHERE RETURNING * and deal
with those records. I don't know if that's safe with a cursor though; I
believe the DELETE fully materializes before records start coming back. So
you need to handle all the rows from the SELECT or abort.

Back to your question: you should probably not use "<=" in your where

clause. However, in READ COMMITTED TX3 cannot see ID1 since the
snapshot it took out was created before TX1 committed. I am not fluent

Actually, that's not necessarily true. It depends when TX3 actually takes
it's snapshot, which is NOT when it runs BEGIN. I believe there's other
problems you'd run into as well. Basically, READ COMMITTED does nothing to
protect you from "phantom reads".

​I was basing that off of:

​​ - TX2 commits
- TX3 scans 2
- TX1 commits

​The scanning causes the snapshot to be taken and occurs before TX1.​

As for the isolation levels I apparently got the two READ ones reversed in
my head...my bad :(

REPEATABLE READ should protect you from phantom reads, but it won't help

you if someone changes the data. If you're going to try and go this route,
SERIALIZABLE is your best bet.

While this is likely true if there is no other use of SERIALIZABLE in the
existing codebase then doing so requires learning/adding transaction retry
to the necessary skills and tools. Its worth considering other approaches
to avoid the cognitive overhead of serializable.​

enough to work through the entire scenario in my head. I'd suggest you

actually open up 3 psql sessions and play with them to see how things
really behave.

That's really not safe enough. There's just too many different race
conditions you can encounter, and I'd bet that you couldn't even reproduce
some of them from a client.

​I guess there is a difference between knowing something is obviously wrong
because this simple testing failed and not realizing that you still have a
problem because there was no way to reasonably test the condition you are
hitting.

The question becomes whether you rephrase the solution to make it simpler
and thus not as exposed to race conditions and the like (or fails
gracefully if it is - no deadlocks and hopefully minimal waiting) or
whether to simply prevent them outright (and quickly?) by failing with a
serialization exception.

For me, a simply "SELECT FOR UPDATE / UPDATE WHERE" command in a

function solves the problem as small scale with minimal performance
degradation. The transition from "pending" to "active" is effectively
serialized and the transition from "active" to "completed" only occurs
when the process has been performed and it is not possible to have two
client simultaneously processing the same work.

Note that that isn't safe from repeatable reads. What you're describing is
only safe if the WHERE clause on the update is guaranteed to always find
only one row (ie, in this example, by using xq_agr.id = something).
Anything other than that is asking for trouble.

​Yes, the result of the select returns an ID of (one or more) "pending"
jobs which has a LIMIT 1 applied to it and the first record is immediately
updated to reflect its "active" status.​ At the scale I operate at this
has proven acceptable. There are a few nuances - workers are not
homogeneous and can only work on a subset of all available tasks based upon
meta-data associated with each task.

David J.