only skip confirm epoch live if CAUSAL_READ_RISKY is enabled

time checked on the proxy should be less than the time waited by the master to account for clock speed differences
setting REQUIRED_MIN_RECOVERY_DURATION and ENFORCED_MIN_RECOVERY_DURATION to 0 will go back to the old behavior

bindings/flow/tester/Tester.actor.cpp

@@ -1562,6 +1562,7 @@ struct UnitTestsFunc : InstructionFunc {
 		data->db->setDatabaseOption(FDBDatabaseOption::FDB_DB_OPTION_TRANSACTION_SIZE_LIMIT, Optional<StringRef>(StringRef((const uint8_t*)&sizeLimit, 8)));
 		data->db->setDatabaseOption(FDBDatabaseOption::FDB_DB_OPTION_TRANSACTION_RETRY_LIMIT, Optional<StringRef>(StringRef((const uint8_t*)&retryLimit, 8)));
 		data->db->setDatabaseOption(FDBDatabaseOption::FDB_DB_OPTION_TRANSACTION_RETRY_LIMIT, Optional<StringRef>(StringRef((const uint8_t*)&noRetryLimit, 8)));
+		data->db->setDatabaseOption(FDBDatabaseOption::FDB_DB_OPTION_CAUSAL_READ_RISKY);
 		data->db->setDatabaseOption(FDBDatabaseOption::FDB_DB_OPTION_SNAPSHOT_RYW_ENABLE);
 		data->db->setDatabaseOption(FDBDatabaseOption::FDB_DB_OPTION_SNAPSHOT_RYW_DISABLE);
 

bindings/python/tests/tester.py

@@ -138,6 +138,7 @@ def test_db_options(db):
     db.options.set_transaction_size_limit(100000)
     db.options.set_transaction_retry_limit(10)
     db.options.set_transaction_retry_limit(-1)
+    db.options.set_causal_read_risky()
     db.options.set_snapshot_ryw_enable()
     db.options.set_snapshot_ryw_disable()
 

bindings/ruby/tests/tester.rb

@@ -462,6 +462,7 @@ class Tester
             @db.options.set_transaction_size_limit(100000)
             @db.options.set_transaction_retry_limit(10)
             @db.options.set_transaction_retry_limit(-1)
+            @db.options.set_causal_read_risky()
             @db.options.set_snapshot_ryw_enable()
             @db.options.set_snapshot_ryw_disable()
 

documentation/sphinx/source/api-c.rst

@@ -49,6 +49,8 @@
 .. |max-retry-delay-database-option| replace:: FIXME
 .. |transaction-size-limit-database-option| replace:: FIXME
 .. |timeout-database-option| replace:: FIXME
+.. |causal-read-risky-transaction-option| replace:: FIXME
+.. |causal-read-risky-database-option| replace:: FIXME
 
 .. include:: api-common.rst.inc
 

documentation/sphinx/source/api-common.rst.inc

@@ -318,6 +318,10 @@
 
     Set the default maximum backoff delay incurred by each transaction in the call to |on-error-func| if the error is retryable. This is equivalent to calling |max-retry-delay-transaction-option| on each transaction created by this database.
 
+.. |option-db-causal-read-risky-blurb| replace::
+
+    Transactions do not require the strict causal consistency guarantee that FoundationDB provides by default.  The read version will be committed, and usually will be the latest committed, but might not be the latest committed in the event of a simultaneous fault and misbehaving clock. Enabling this option is equivalent to calling |causal-read-risky-transaction-option| on each transaction created by this database.
+
 .. |option-db-snapshot-ryw-enable-blurb| replace::
 
     If this option has been set an equal or more times with this database than the disable option, snapshot reads *will* see the effects of prior writes in the same transaction. Enabling this option is equivalent to calling |snapshot-ryw-enable-transaction-option| on each transaction created by this database.
@@ -351,7 +355,7 @@
 
 .. |option-causal-read-risky-blurb| replace::
 
-    This transaction does not require the strict causal consistency guarantee that FoundationDB provides by default.  The read version of the transaction will be a committed version, and usually will be the latest committed, but it might be an older version in the event of a fault or network partition.
+    This transaction does not require the strict causal consistency guarantee that FoundationDB provides by default.  The read version will be committed, and usually will be the latest committed, but might not be the latest committed in the event of a simultaneous fault and misbehaving clock. One can set this for all transactions by calling |causal-read-risky-database-option|.
 
 .. |option-causal-write-risky-blurb| replace::
 

documentation/sphinx/source/api-python.rst

@@ -25,6 +25,7 @@
 .. |timeout-database-option| replace:: :func:`Database.options.set_transaction_timeout`
 .. |max-retry-delay-database-option| replace:: :func:`Database.options.set_transaction_max_retry_delay`
 .. |transaction-size-limit-database-option| replace:: :func:`Database.options.set_transaction_size_limit`
+.. |causal-read-risky-database-option| replace:: :func:`Database.options.set_causal_read_risky`
 .. |snapshot-ryw-enable-database-option| replace:: :func:`Database.options.set_snapshot_ryw_enable`
 .. |snapshot-ryw-disable-database-option| replace:: :func:`Database.options.set_snapshot_ryw_disable`
 .. |future-type-string| replace:: a :ref:`future <api-python-future>`
@@ -35,6 +36,7 @@
 .. |size-limit-transaction-option| replace:: :func:`Transaction.options.set_size_limit`
 .. |snapshot-ryw-enable-transaction-option| replace:: :func:`Transaction.options.set_snapshot_ryw_enable`
 .. |snapshot-ryw-disable-transaction-option| replace:: :func:`Transaction.options.set_snapshot_ryw_disable`
+.. |causal-read-risky-transaction-option| replace:: :func:`Transaction.options.set_causal_read_risky`
 .. |lazy-iterator-object| replace:: generator
 .. |key-meth| replace:: :meth:`Subspace.key`
 .. |directory-subspace| replace:: :ref:`DirectorySubspace <api-python-directory-subspace>`
@@ -384,6 +386,10 @@ Database options
 
     |option-db-tr-size-limit-blurb|
 
+.. method:: Database.options.set_causal_read_risky()
+
+    |option-db-causal-read-risky-blurb|
+
 .. method:: Database.options.set_snapshot_ryw_enable()
 
     |option-db-snapshot-ryw-enable-blurb|

documentation/sphinx/source/api-ruby.rst

@@ -23,6 +23,7 @@
 .. |timeout-database-option| replace:: :meth:`Database.options.set_transaction_timeout`
 .. |max-retry-delay-database-option| replace:: :meth:`Database.options.set_transaction_max_retry_delay`
 .. |transaction-size-limit-database-option| replace:: :func:`Database.options.set_transaction_size_limit`
+.. |causal-read-risky-database-option| replace:: :meth:`Database.options.set_causal_read_risky`
 .. |snapshot-ryw-enable-database-option| replace:: :meth:`Database.options.set_snapshot_ryw_enable`
 .. |snapshot-ryw-disable-database-option| replace:: :meth:`Database.options.set_snapshot_ryw_disable`
 .. |future-type-string| replace:: a :class:`Future`
@@ -33,6 +34,7 @@
 .. |size-limit-transaction-option| replace:: :meth:`Transaction.options.set_size_limit`
 .. |snapshot-ryw-enable-transaction-option| replace:: :meth:`Transaction.options.set_snapshot_ryw_enable`
 .. |snapshot-ryw-disable-transaction-option| replace:: :meth:`Transaction.options.set_snapshot_ryw_disable`
+.. |causal-read-risky-transaction-option| replace:: :meth:`Transaction.options.set_causal_read_risky`
 .. |lazy-iterator-object| replace:: :class:`Enumerator`
 .. |key-meth| replace:: :meth:`Subspace.key`
 .. |directory-subspace| replace:: :class:`DirectorySubspace`
@@ -380,6 +382,10 @@ Database options
 
     |option-db-tr-size-limit-blurb|
 
+.. method:: Database.options.set_causal_read_risky() -> nil
+
+    |option-db-causal-read-risky-blurb|
+
 .. method:: Database.options.set_snapshot_ryw_enable() -> nil
 
     |option-db-snapshot-ryw-enable-blurb|

documentation/sphinx/source/data-modeling.rst

@@ -51,6 +51,8 @@
 .. |max-retry-delay-database-option| replace:: FIXME
 .. |transaction-size-limit-database-option| replace:: FIXME
 .. |timeout-database-option| replace:: FIXME
+.. |casual-read-risky-database-option| replace:: FIXME
+.. |causal-read-risky-transaction-option| replace:: FIXME
 
 .. include:: api-common.rst.inc
 

documentation/sphinx/source/developer-guide.rst

@@ -51,6 +51,8 @@
 .. |max-retry-delay-database-option| replace:: FIXME
 .. |transaction-size-limit-database-option| replace:: FIXME
 .. |timeout-database-option| replace:: FIXME
+.. |casual-read-risky-database-option| replace:: FIXME
+.. |causal-read-risky-transaction-option| replace:: FIXME
 
 .. include:: api-common.rst.inc
 

fdbclient/NativeAPI.actor.cpp

@@ -760,7 +760,7 @@ void DatabaseContext::setOption( FDBDatabaseOptions::Option option, Optional<Str
 	if (defaultFor >= 0) {
 		ASSERT(FDBTransactionOptions::optionInfo.find((FDBTransactionOptions::Option)defaultFor) !=
 		       FDBTransactionOptions::optionInfo.end());
-		transactionDefaults.addOption((FDBTransactionOptions::Option)option, value.castTo<Standalone<StringRef>>());
+		transactionDefaults.addOption((FDBTransactionOptions::Option)defaultFor, value.castTo<Standalone<StringRef>>());
 	}
 	else {
 		switch(option) {

fdbclient/vexillographer/fdb.options

@@ -162,6 +162,9 @@ description is not currently required but encouraged.
             paramType="Int" paramDescription="value in bytes"
             description="Set the maximum transaction size in bytes. This sets the ``size_limit`` option on each transaction created by this database. See the transaction option description for more information." 
             defaultFor="503"/>
+    <Option name="transaction_casual_read_risky" code="504"
+            description="The read version will be committed, and usually will be the latest committed, but might not be the latest committed in the event of a simultaneous fault and misbehaving clock."
+            defaultFor="20"/>
     <!-- The snapshot RYW options act like defaults for the equivalent transaction options, but database defaults cannot have cumulative effects from multiple calls.
          Thus, we don't use the defaultFor annotation on these options. -->
     <Option name="snapshot_ryw_enable" code="26"
@@ -174,7 +177,7 @@ description is not currently required but encouraged.
     <Option name="causal_write_risky" code="10"
             description="The transaction, if not self-conflicting, may be committed a second time after commit succeeds, in the event of a fault"/>
     <Option name="causal_read_risky" code="20"
-            description="The read version will be committed, and usually will be the latest committed, but might not be the latest committed in the event of a fault or partition"/>
+            description="The read version will be committed, and usually will be the latest committed, but might not be the latest committed in the event of a simultaneous fault and misbehaving clock."/>
     <Option name="causal_read_disable" code="21" />
     <Option name="next_write_no_write_conflict_range" code="30"
             description="The next write performed on this transaction will not generate a write conflict range. As a result, other transactions which read the key(s) being modified by the next write will not conflict with this transaction. Care needs to be taken when using this option on a transaction that is shared between multiple threads. When setting this option, write conflict ranges will be disabled on the next write operation, regardless of what thread it is on." />

fdbserver/Knobs.cpp

@@ -285,10 +285,11 @@ ServerKnobs::ServerKnobs(bool randomize, ClientKnobs* clientKnobs) {
 	init( MAX_TXS_POP_VERSION_HISTORY,                           1e5 );
 	init( PROXY_FORWARD_DELAY,                                  10.0 );
 	init( MAX_FORWARD_MESSAGES,                                  1e6 ); if( randomize && BUGGIFY ) MAX_FORWARD_MESSAGES = 10;
+	init( MIN_CONFIRM_INTERVAL,                                 0.05 );
 
 	bool shortRecoveryDuration = randomize && BUGGIFY;
-	init( MIN_RECOVERY_DURATION,                                 0.1 ); if( shortRecoveryDuration ) MIN_RECOVERY_DURATION = 0.01;
-	init( MAX_COMMIT_LATENCY,                                   0.09 ); if( shortRecoveryDuration ) MAX_COMMIT_LATENCY = 0.009;
+	init( ENFORCED_MIN_RECOVERY_DURATION,                       0.085 ); if( shortRecoveryDuration ) ENFORCED_MIN_RECOVERY_DURATION = 0.01;
+	init( REQUIRED_MIN_RECOVERY_DURATION,                       0.080 ); if( shortRecoveryDuration ) REQUIRED_MIN_RECOVERY_DURATION = 0.01;
 
 	// Master Server
 	// masterCommitter() in the master server will allow lower priority tasks (e.g. DataDistibution)

fdbserver/Knobs.h

@@ -230,8 +230,9 @@ public:
 	int MAX_TXS_POP_VERSION_HISTORY;
 	double PROXY_FORWARD_DELAY;
 	int MAX_FORWARD_MESSAGES;
-	double MIN_RECOVERY_DURATION;
-	double MAX_COMMIT_LATENCY;
+	double MIN_CONFIRM_INTERVAL;
+	double ENFORCED_MIN_RECOVERY_DURATION;
+	double REQUIRED_MIN_RECOVERY_DURATION;
 
 	// Master Server
 	double COMMIT_SLEEP_TIME;

fdbserver/MasterProxyServer.actor.cpp

@@ -267,7 +267,7 @@ struct ProxyCommitData {
 			getConsistentReadVersion(getConsistentReadVersion), commit(commit), lastCoalesceTime(0),
 			localCommitBatchesStarted(0), locked(false), commitBatchInterval(SERVER_KNOBS->COMMIT_TRANSACTION_BATCH_INTERVAL_MIN),
 			firstProxy(firstProxy), cx(openDBOnServer(db, TaskPriority::DefaultEndpoint, true, true)), db(db),
-			singleKeyMutationEvent(LiteralStringRef("SingleKeyMutation")), commitBatchesMemBytesCount(0), lastTxsPop(0), lastStartCommit(0), lastCommitLatency(SERVER_KNOBS->MIN_RECOVERY_DURATION), lastCommitTime(0)
+			singleKeyMutationEvent(LiteralStringRef("SingleKeyMutation")), commitBatchesMemBytesCount(0), lastTxsPop(0), lastStartCommit(0), lastCommitLatency(SERVER_KNOBS->REQUIRED_MIN_RECOVERY_DURATION), lastCommitTime(0)
 	{}
 };
 
@@ -1144,8 +1144,10 @@ ACTOR Future<GetReadVersionReply> getLiveCommittedVersion(ProxyCommitData* commi
 	for (auto const& p : *otherProxies)
 		proxyVersions.push_back(brokenPromiseToNever(p.getRawCommittedVersion.getReply(GetRawCommittedVersionRequest(debugID), TaskPriority::TLogConfirmRunningReply)));
 
-	if (!(flags&GetReadVersionRequest::FLAG_CAUSAL_READ_RISKY) && (now() - SERVER_KNOBS->MIN_RECOVERY_DURATION) > commitData->lastCommitTime.get()) {
-		wait(commitData->lastCommitTime.whenAtLeast(now() - SERVER_KNOBS->MIN_RECOVERY_DURATION));
+	if (!(flags&GetReadVersionRequest::FLAG_CAUSAL_READ_RISKY)) {
+		wait(commitData->logSystem->confirmEpochLive(debugID));
+	} else if (SERVER_KNOBS->REQUIRED_MIN_RECOVERY_DURATION > 0 && now() - SERVER_KNOBS->REQUIRED_MIN_RECOVERY_DURATION > commitData->lastCommitTime.get()) {
+		wait(commitData->lastCommitTime.whenAtLeast(now() - SERVER_KNOBS->REQUIRED_MIN_RECOVERY_DURATION));
 	}
 
 	if (debugID.present())
@@ -1534,7 +1536,7 @@ ACTOR Future<Void> updateLastCommit(ProxyCommitData* self) {
 
 ACTOR Future<Void> lastCommitUpdater(ProxyCommitData* self, PromiseStream<Future<Void>> addActor) {
 	loop {
-		double interval = (SERVER_KNOBS->MIN_RECOVERY_DURATION - std::min(SERVER_KNOBS->MAX_COMMIT_LATENCY, self->lastCommitLatency))/2;
+		double interval = std::max(SERVER_KNOBS->MIN_CONFIRM_INTERVAL, (SERVER_KNOBS->REQUIRED_MIN_RECOVERY_DURATION - self->lastCommitLatency)/2.0);
 		double elapsed = now()-self->lastStartCommit;
 		if(elapsed < interval) {
 			wait( delay(interval + 0.0001 - elapsed) );
@@ -1608,7 +1610,9 @@ ACTOR Future<Void> masterProxyServerCore(
 	// wait for txnStateStore recovery
 	wait(success(commitData.txnStateStore->readValue(StringRef())));
 
-	addActor.send(lastCommitUpdater(&commitData, addActor));
+	if(SERVER_KNOBS->REQUIRED_MIN_RECOVERY_DURATION > 0) {
+		addActor.send(lastCommitUpdater(&commitData, addActor));
+	}
 
 	int commitBatchByteLimit = 
 		(int)std::min<double>(SERVER_KNOBS->COMMIT_TRANSACTION_BATCH_BYTES_MAX, 

fdbserver/masterserver.actor.cpp

@@ -1258,7 +1258,7 @@ ACTOR Future<Void> masterCore( Reference<MasterData> self ) {
 		if(oldLogSystem) {
 			logChanges = triggerUpdates(self, oldLogSystem);
 			if(!minRecoveryDuration.isValid()) {
-				minRecoveryDuration = delay(SERVER_KNOBS->MIN_RECOVERY_DURATION);
+				minRecoveryDuration = delay(SERVER_KNOBS->ENFORCED_MIN_RECOVERY_DURATION);
 			}
 		}