Add scoped RDB loading context and immediate abort flag

[naglera]

This PR introduces a new mechanism for temporarily changing the
server's loading_rio context during RDB loading operations. The new
RDB_SCOPED_LOADING_RIO macro allows for a scoped change of the
server.loading_rio value, ensuring that it's automatically restored
to its original value when the scope ends.

Introduces a dedicated flag to rio to signal immediate abort, preventing
potential use-after-free scenarios during replication disconnection in
dual-channel load. This ensures proper termination of rdbLoadRioWithLoadingCtx
when replication is cancelled due to connection loss on main connection.

Fixes #1152

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.70%. Comparing base (8ee7a58) to head (90cde6b).
Report is 37 commits behind head on unstable.

Additional details and impacted files

@@             Coverage Diff              @@
##           unstable    #1173      +/-   ##
============================================
+ Coverage     70.66%   70.70%   +0.04%     
============================================
  Files           114      115       +1     
  Lines         63150    63164      +14     
============================================
+ Hits          44626    44662      +36     
+ Misses        18524    18502      -22     

Files with missing lines	Coverage Δ
src/rdb.c	76.32% <100.00%> (+0.38%)	⬆️
src/replication.c	87.37% <100.00%> (+0.06%)	⬆️
src/rio.h	100.00% <100.00%> (ø)
src/server.h	100.00% <ø> (ø)

... and 26 files with indirect coverage changes

[ranshid]

General comment:
Although I agree this fix will work and at first glance I see no issue with it, I would like to suggest maybe to tackle the problem from a more holistic POV:

Basically we would like to have a method to tell the current load process to stop ASAP. This can also be achieved by adding an RIO flag (eg #define RIO_FLAG_STOP_ASAP (1 << 2)) and have rio check for this flag when it is performing different io operations. the only issue is that the rdb RIO is local to the rdbLoadRioWithCtx. we can, however keep a pointer in the server to the current active loading rio so that in any point during load we can set the flag RIO_FLAG_STOP_ASAP on the current loading rio. IMO this would be cleaner.

[xbasel]

Can we piggyback on the existing state variables to detect when the sync has been aborted / primary connection dropped? Since cancelReplicationHandshake is called when the connection is dropped and updates:

server.repl_rdb_channel_state = REPL_DUAL_CHANNEL_STATE_NONE;

Can't we simply use server.repl_rdb_channel_state in rdbLoadProgressCallback?

[xbasel]

This probably won't work and will create an issue when RDB dual channel isn't used.

[naglera]

server.repl_rdb_channel_state will be equal to REPL_DUAL_CHANNEL_STATE_NONE also when dual channel is disabled

[madolson]

I guess I'm not following why we can't null out the connections here and use that instead of a new close_asap flag.

[ranshid]

It would still require to add logic to the rioConnRead/Write right? We could flag the rdb with RIO_FLAG_READ_ERROR.

[naglera]

Null out the fields will look the same as running sync with dual channel disabled.

It would still require to add logic to the rioConnRead/Write right?

right

[naglera]

We could flag the rdb with RIO_FLAG_READ_ERROR

While using RIO flags could potentially offer a cleaner solution, it does present its own challenges. As you mentioned, we would need to maintain a pointer in the server to the current active loading RIO. This would require adding and maintaining a currently_loading_rdb field in the server struct.
This approach, while potentially more flexible for future use cases, introduces additional complexity and state management. It would require changes in multiple parts of the RDB load process to properly set, use, and clear this pointer.
The current proposed solution, while more specific to this use case, has the advantage of being more localized and doesn't require global state management.

[madolson]

I suppose a third option is to remove the event handler for the replication connection before calling process events and then reinstalling it after the fact?

[ranshid]

@madolson I am not sure I understand this proposal. We need to process the events while we are loading in order to keep feeding the local replication buffer AFAIK. We could (as a third option) do nothing when we identify the replication link was broken and complete the load (or let it disconnect as well), however I do feel that having the ability to bail out from a load is something we might find handy in the future.

[madolson]

This idea made sense to me when I posted it but reading back it doesn't make sense, I might have just been missing something. More generally I want to move away from doing recursive calls for handling processing events, and it that world we can just skip it, but that is likely a much larger change than what we want to do here.

[ranshid]

Thank you @naglera looks promising! I like scoped actions, but I only want to make sure about the compiler support is not compromised.
BTW if it is not, we can consider having a generic ScopeGuard macro in Valkey

[ranshid]

nit: maybe add a short comment explaining why we are marking it here?

[ranshid]

also see my comment later about encapsulate the flagging in a dedicated function

[ranshid]

this is not used anywhere. suggest to drop it for now.

[naglera]

rioGetWriteError is not used anywhere either. This would maintain symmetry in our error handling capabilities for read, write, and async close operations, even if they're not currently utilized.

[ranshid]

maybe for the sake of encapsulation we can have a function to encapsulate the flagging logic? like rioCloseASAP(rio *rdb)

[ranshid]

very nice IMO. only thing is that I do not recall our compiler support scope in Valkey (@zuiderkwast DYK?)... for example is MSVC supported? I guess if we do we can just place a cleanup logic on the only 2 places where we return from the function?

[naglera]

You raise a valid point about compiler support. Regarding the return points, currently rdbLoadWithLoadingCtx has about 5 return points, and this number may increase in the future as the function evolves. If we don't enforce a single return path, and not use scope based variable, we risk introducing bugs in the future where the cleanup logic might be missed on new return paths.

[madolson]

The other way to handle this is just to split the function, so we move the rest of the logic into another function that we call and can make sure it's correctly restored on return.

[madolson]

My ask would be that we split the discussion, let's do it manually for now and then open a separate issue about supporting this? I think generally we should have a general macro for this as well, not just one specific for the server.loading_rio.

[ranshid]

maybe we should wait to see that the sync was successful?

[naglera]

We use rdb-key-save-delay in this test, which intentionally slows down the RDB saving process. Due to potential context switches, the sync time can be unpredictable and might take longer than expected. This unpredictability could lead to test flakyness.

[ranshid]

we could reduce it to 0 and wait

[xbasel]

Shouldn't this be invoked on line 2832 as well?

[naglera]

right, incase of connection state changes

[ranshid]

I approve in order to indicate this generally looks fine to me. We do need to decide on the cleanup attribute use which I think is mostly supported with some exceptions. (At least we would probably get compilation error IMO)

[madolson]

Mostly looks good to me.

[madolson]

Does this need to be set to debug?

[naglera]

It helped while writing the test. We don't need it anymore

[madolson]

You set this value later, so it has no impact here.

[naglera]

I use it between the two sets for

wait_for_log_messages 0 {"*Loading RDB produced by Valkey version*"} $loglines 1000 10

[madolson]

Yes, but you set it again on line 1228. You actually set it three times.